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1  ABSTRACT 

P’A  proof  system  based  on  temporal  logic  is  presented  for  proving  properties  of  concurrent 
programs  based  on  the  shared-variables  computation  model.  The  system  consists  of  throe  parts: 
the  general  uninterpreted  part,  the  domain  dependent,  part,  and  the  program  dependent  part.  In  the 
general  part  we  give  a  complete  proof  system  for  first-order  temporal  logic  with  detailed  proofs  of 
useful  theorems.  This  logic  enables  reasoning  about  general  time  sequences.  The  domain  dependent 
part  characterizes  the  special  properties  of  the  domain  over  which  the  program  operates.  The 
program  dependent  part  introduces  program  axioms  which  restrict  the  time  sequences  considered 
to  he  execution  sequences  of  a  given  program. 

The  utility  of  the  full  system  is  demonstrated  by  proving  invariance,  liveness  and  precedence 
properties  of  several  concurrent  programs.  Derived  proof  principles  for  these  classes  of  properties, 
are  obtained  and  lead  to  a  compact  representation  of  proofs. 
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A.  INTRODUCTION 


In  this  work  wo  prosont  a  proof  system  based  on  temporal  logic  for  proving  the  properties  of 
concurrent  programs.  We  refer  the  reader  to  [MPI]  for  a  more  detailed  discussion  of  the  compu¬ 
tational  model  of  concurrent  programs,  and  the  advantages  olfered  by  the  language  of  temporal 
logic  in  formulating  properties  of  concurrent  programs. 


1.  THE  TEMPORAL  LANGUAGE:  SYNTAX  AND  SEMANTICS 


We  first  describe  the  temporal  language  we  are  going  to  use.  This  language  contains  special 
constructs  that  are  suitable  for  reasoning  about  programs. 

The  language  uses  a  set  of  basic  symbols  consisting  of  individual  variables  and  constants, 
propositions,  and  function  and  predicate  symbols.  The  set  is  partitioned  into  two  subsets:  global 
and  local  symbols.  Intuitively  speaking,  the  global  symbols  denote  entities  that  do  not  change 
during  a  program  execution.  The  local  symbols,  on  the  other  hand,  may  change  their  meanings 
and  values  in  different  states  throughout  the  execution.  For  our  purpose,  the  only  local  symbols 
that  interest  us  are  local  individual  variables  and  propositions.  We  will  have  global  symbols  of  all 
types. 

We  use  the  usual  set  of  boolean  connectives:  A,  V,  O,  =,  and  ~  together  with  the  equality 
predicate  —  and  the  (irst-order  quantifiers  V  and  3.  These  operators  are  referred  to  as  the  classical 
operators.  The  quantifiers  V  and  3  are  applied  only  to  global  individual  variables. 

The  modal  operators  used  arc:  □,  O,  O,  and  U,  which  arc  called  respectively  the  always, 
sometime,  next  and  until  operators.  The  first  three  operators  are  unary  while  the  U  operator  is 
binary.  We  use  the  next  operator,  O,  in  two  different  ways  -  as  a  temporal  operator  applied  to 
formulas  and  as  a  temporal  operator  applied  to  terms. 

A  model  [I,  a,  a)  for  our  language  consists  of  a  (global)  interpretation  /,  a  (global)  assignment 
a  and  a  sequence  of  states  a. 

•  The  interpretation  I  specifies  a  nonempty  domain  D  and  assigns  concrete  ele¬ 
ments,  functions  and  predieates  to  the  (global)  individual  constants,  function 
and  predicate  symbols. 

•  The  assignment  a  assigns  a  value  over  t.he  appropriate  domain  to  each  of  the 
global  individual  variables. 

•  The  sequence  o  —  #o»*i,  •••  ls  an  infinite  sequence  of  states.  Each  state  s, 
assigns  values  to  the  local  individual  variables  and  propositions. 


For  a  sequence 


we  denote  by 

0{i)  =  sitai+ 1,  . . . 
the  i-truncated  suflix  of  a . 

Given  a  temporal  formula  w,  we  present  below  an  inductive  definition  of  the  truth  value  of  w 
in  a  model  (I,  a,  a).  The  value  of  a  subformula  or  term  r  under  (I,  a,  a)  is  denoted  by  r|",  with 
/  being  implicitly  understood. 

Consider  first  the  evaluation  of  terms: 

•  For  a  local  individual  variable  or  local  proposition  y: 

y\aa  =  «o[y], 

i.e.,  the  value  assigned  to  y  in  s0,  the  first  state  of  a. 

•  For  a  global  individual  variable  u: 

a|“  =  a[u], 

i.e.,  the  value  assigned  to  u  by  «. 

•  For  an  individual  constant  the  evaluation  is  given  by  I: 


•  For  a  fc-ary  function  /: 

. . = 

i.e.,  the  value  is  given  by  the  application  of  the  interpreted  function  /[/]  to  the 
values  of  t\,  .  . . ,  tk  evaluated  in  the  model  (/,«,< 7). 

•  For  a  term  t: 

(0<)i:=Cn, 

i.e.,  the  value  of  Of  in  a  —  so,»i,  ...  is  given  by  the  value  of  t  in  the  1- 
truncated  sullix  =  s i,»2>  •••• 

Consider  now  the  evaluation  of  formulas: 

•  For  a  fc- ary  predicate  p  (including  ecpiality): 

p(tu...,tk)\:  =  i[p](ura>...,tk\:)- 

Here  again,  we  first  evaluate  the  arguments  in  the  model  and  then  test  l\p\  on 
them. 

•  For  a  disjunction: 

(wq  V  «>2)|“  =  true  if  and  only  if  t»i|“  =  true  or  u;2|“  =  true. 

And  similarly  for  the  other  binary  boolean  connectives  V,  D,  and  =. 
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•  I* or  a  negation: 

(~ui)|“  =  true  if  and  only  if  te|“  —  false. 

•  For  a  next-time  application: 

[ow)ra=w\*M. 

Thus  O  w  means:  w  will  be  true  in  the  next  instant  read  “next  w" . 

•  For  an  all-times  application: 

(□to)|“  =  true  if  and  only  if  for  every  k  >  0,  =  true, 

i.c.,  w  is  true  for  all  sullix  sequences  of  a.  Thus  □  w  means:  w  is  true  for  all 
future  instants  (including  the  present)  read  “always  w"  or  “henceforth  w”. 

•  For  a  some-time  application: 

(Ow)|“  =  true  if  and  only  if  there  exists  a  k  >  0 

such  that  =  true, 

i.e.,  w  is  true  on  at  least  one  suffix  of  a.  Thus  Ow;  means:  w  will  be  true  for 
some  future  instant  (possibly  the  present)  read  “sometime  ui”  or  “eventually 
w". 

•  For  an  until  application: 

zw !  U.IW2 1  “  =  true  if  and  only  if  for  some  k  >  0,  w 2 1  „(*)  =  true  and 

for  all  i,  0  <  i  <  k,  W||“(l)  =  true. 

Thus  reiUwia  means:  there  is  a  future  instant  in  which  w<>  holds,  and  such  that 
until  that  instant  w\  continuously  holds  read  “uq  until  ([KAM],  (CI’SS)). 

•  For  a  universal  quantification: 

(Vm.u;)|“  —  true  if  and  only  if  for  every  d  €  D,  ?//|“  =  true, 
where  a'  =  no  [«  <—  d|  is  the  assignment  obtained  from  r*  by  assigning  d  to  u. 

•  For  an  existential  quantification: 

(3u.w)|“  =  true  if  and  only  if  for  some  d£  I),  w |“  =  true, 
where  n'  —  no  [u  <—  cfj. 

following  are  some  examples  of  temporal  expressions  and  their  intuitive  interpretations: 


u  D  O  v 


If  u  is  presently  true,  v  will  eventually  become  true. 


□(?t  D  O  v)  Whenever  u  becomes  true  it  will  eventually  be  followed  by  v. 


O  □  m 


At  some  future  instant  w  will  become  permanently  true. 


0(w  A  O  ~to)  There  will  be  a  future  instant  such  that  w  is  true  at  that  instant 
and  false  at  the  next. 


□  Ow 


lCvery  future  instant  is  followed  by  a  later  one  in  which  w  is  true, 


thus  w  is  true  infinitely  often. 


□(u  D  dll’)  If  u  ever  becomes  true,  then  v  is  true  at  that  instant  and  ever  after. 

□  u  V  (ullu)  Either  u  holds  continuously  or  it  holds  until  an  occurrence  of  v. 

'This  is  the  weak  form  of  the  until  operator  that  states  that  u  will  hold 
continuously  until  the  first  occurrence  of  v  if  v  ever  happens 
or  indefinitely  otherwise. 

On  D  ((~u)Uu)  If  v  ever  happens,  its  first  occurrence  is  preceded  by  (or  coincides  with)  u. 

If  w  is  true  under  the  model  (/,  a,  a),  we  say  that  (/,  a,  a)  satisfies  w  or  that  (A,  «,  a)  is  a 
(satisfying)  model  for  w.  We  denote  this  by 

(l,  a,  o)  t=  xv. 


A  formula  w  is  satisfiable  if  there  exists  a  satisfying  model  for  it. 

A  formula  w  is  valid  if  it  is  true  in  every  model;  in  this  case  we  write 

N  xu. 


Sometimes  we  are  interested  in  a  restricted  class  of  models  C.  A  formula  xv  which  is  true  for 
every  model  in  C  is  said  to  be  C-  valid,  denoted  by 


C  1=  xv. 


Example: 

The  formula  C>(u;i  A  wg)  O  ( Oiwi  A  O  wfi)  is  valid,  i.e., 

1=  0(wi  A  w-fi)  D  (Oi»i  A  Oxui). 

If  says  that  if  there  exists  an  instant  in  which  both  xv\  and  XV2  are  true  then  there  exists  an  instant 
in  which  xv\  is  true  and  there  exists  an  instant  in  which  u>2  is  true. 

Ueversing  the  implication  does  not  yield  a  valid  formula,  i.e.. 

^  (Otoi  A  O  Mu)  D  0(?«i  A  W2). 


For,  consider  an  interpretation  consisting  of  a  sequence  of  states: 


silt'll  that  w i  is  truo  on  all  odd  numbered  states  and  false  elsewhere,  and  )«•_»  is  true  on  all  the  even 
numbered  states  and  false  on  the  odd  ones.  Then  certainly  both  Oi/q  and  O  w->  are  t  rue  on  o, 
hence  O  wx  A  O  is  true.  On  tin*  other  hand,  there  is  no  state  on  which  both  W\  and  are 

true  simultaneously.  Hence  0(u>i  A  uv,)  is  false.  Consequently  the  implication  is  false  under  the 
interpretation  <r.  _ 


2.  THE  PROOF  SYSTEM 


Having  defined  valid  formulas,  we  naturally  look  for  a  deductive  system  in  which  validity  can 
be  proved.  In  such  a  system  we  take  some  of  the  valid  formulas  as  axioms  and  provide  a  set  of 
sound  inference  rules  by  which  we  hope  to  be  abb'  to  prove  the  other  valid  formulas  as  theorems. 
A  formula  w  is  a  theorem  of  the  system  either  if  it  is  an  axiom  of  the  system  or  has  a  proof  in 
which  it  is  derived  from  the  axioms  using  the  inference  rules  of  the  system.  Wo  denote  the  fact 
that  w  is  a  theorem  is  provable  within  the  system  by  I-  w. 

Our  interest  in  the  temporal  logic  formalism  is  mainly  motivated  by  the  applicability  of  this 
logic  to  proving  properties  of  concurrent  programs.  Therefore,  apart  from  developing  the  general 
basic  logical  properties  of  the  operators  and  their  interrelations,  we  will  mostly  be  interested  in 
properties  that  arc  valid  over  computations  of  a  given  concurrent  program  /\  Thus,  the  notion  of 
validity  our  system  will  try  to  capture  is  that  of  a  formula  being  true  Tor  all  possible  computations 
of  the  given  program,  and  not  necessarily  over  an  arbitrary  model.  This  corresponds  to  the  concept 
of  A( /^)- validity  where  A(/')  is  the  class  of  all  models  corresponding  to  computations  of  /’. 

We  structure  our  proof  system  into  three  main  layers  dependent  on  the  universal  validity  of 
the  theorems  that  can  be  derived  in  each  layer.  In  the  first  layer,  called  the  general  part,  we  deal 
with  (lie  general  temporal  properties  of  discrete  linear  sequences  (arbitrary  models).  Theorems 
proved  in  that  part  are  valid  for  all  sequences  over  arbitrary  domains.  They  universally  hold  for 
arbitrary  computations  of  all  programs  over  such  domains,  as  well  as  Tor  sequences  which  cannot 
even  be  derived  as  the  computations  of  a  program.  In  the  next  layer  the  domain  part,  we  restrict 
our  attention  to  a  particular  domain  I )  and  provide  tools  for  proving  validity  over  models  all  of 
which  are  interpreted  over  I).  The  third,  most  restrictive  layer  is  the  program  part.  Here  we 
restrict  our  attention  to  a  particular  program  /'  and  develop  tools  for  proving  validity  only  over 
models  whose  sequences  are  legal  computations  of  / A 

In  a  forthcoming  paper,  the  program  dependent  part  is  proved  to  be  complete  relative  to  the 
general  temporal  theory  over  the  data  domain.  We  also  show  that  its  dependence  on  the  particular 
computation  model  studied  is  modular,  by  presenting  a  similar  system  for  proving  properties  of 
OKI*  programs. 


B.  GENERAL  PART 


Wo  start  the  go  no  ml  part  by  describing  first  the  axiomatic  system  for  propositional  temporal 
logic  in  which  we  do  not  admit  predicates  or  quantification. 


3.  THE  PROPOSITIONAL  TEMPORAL  SYSTEM  (0,0,0  AND  U) 

The  proof  system  for  the  propositional  part  consists  of  the  following  axioms: 


AXIOMS: 


Al. 

h 

~  0  w  =  □  ~ 

w 

A2. 

f- 

□(uq  3  w->) 

3 

(□M[ 

3 

□  w2) 

A3. 

h 

□  w  3  w 

A4. 

h 

O  =  ~  O 

w 

A5. 

f- 

0(uq  D  w 2) 

3 

(Owl 

3 

O  re2) 

AO. 

h 

□  w  D  Ow 

A7. 

I- 

□  ■u;  D  on 

w 

A8. 

h 

□(iff  D  O  tv 

3 

(w  3 

□ 

w) 

At). 

h 

(riqllw-i)  ^ 

:'»2 

v  («I| 

A 

0(w,Uw2))J 

AIO 

f- 

-  (wiling)  3 

0  W2- 

Axiom  A I  defines  O  as  the  dual  of  □;  it  states  that  at,  all  times  w  is  false  if  and  only  if  if  is 
not  the  case  that  sometimes  w  holds.  Axiom  A2  state's  that  if  universally  w\  implies  u>2  then  if 
at  all  times  w\  is  true  then  so  is  w2.  Axiom  Ad  establishes  the  present  as  part  of  the  future  by 
stating  that  if  w  is  true  at,  all  future  instants  it  must  be  true  at  the  present.  Axiom  Ad  establishes 
O  as  self-dual.  Consequently  it,  implies  that  the  next  instant  exists  and  is  unique,  and  restricts  our 
models  to  linear  sequences  (no  branching).  Axiom  AI>  is  the  analogue  of  A2  for  the  O  operator. 
Axiom  A6  states  that  the  next,  instant  is  one  of  the  future  stales.  Axiom  A7  slates  that  if  w 
holds  in  all  future  instants  it  also  holds  in  all  instants  which  lie  in  the  future  of  the  next  instant.. 
Axiom  A8  is  the  “computational  induction”  axiom;  if  states  that  if  a  property  is  inherited  over 
one  step  transitions,  it  is  invariant,  over  any  suffix  sequence  whose  first  state  satisfies  w.  Axiom  A!) 
characterizes  the  until  operator  by  distributing  its  effect  into  what  is  implied  for  the  present  and 
what  is  implied  for  the  next  instant.  Axiom  A 10  simply  stal.es  that  “i»q  until  w2 ”  implies  that,  w» 
will  eventually  happen. 


INFERENCE  RULES: 


111.  Propositional  Tautology  —  PT 

If  u  is  an  instance  of  a  propositional  tautology  then  h  u 
R2.  Modus  Ponens  —  Ml3 

If  u  D  v  and  I-  u  then  I-  v 
113.  □  Insertion  —  □! 

If  h  a  then  I-  □« 


All  these  rules  are  sound.  The  soundness  of  It l  and  R2  is  obvious.  Note  that  in  III  we  also 
include  temporal  instances  of  tautologies;  we  may  substitute  an  arbitrary  temporal  formula  for  a 
proposition  letter  in  obtaining  an  instance.  For  example,  the  formula  D?a  D  Dtw  is  a  temporal 
instance  of  the  tautology  p  3  p.  To  justify  It 3,  we  recall  that  validity  olio  means  that  w  is  true  in 
all  models,  hence  Dto  is  also  valid. 


DERIVED  RULES  AND  THEOREMS: 

Before  giving  some  theorems  that  can  be  proved  in  Lhis  system,  we  develop  several  useful 
derived  rules: 

Propositional  Reasoning  PR 

P  (lit  A  U2  A  ...  A  tin)  3  v 
P  tit,  P  ti2,  . . . ,  and  h  u„ 

P  v 

The  notation  above  is  used  to  describe  inference  rules.  It  has  the  general  form 

P  <Pl,  P  <P2,  •  ■  •  ,  P  <Pm 
P  Ip 

and  means  that  if  we  have  already  proved  < p\,  ...  ,ipm  (the  assumptions  or  premises  of  the  rule), 
we  are  allowed  by  this  rule  to  infer  ip  (the  conclusion  or  consequent  of  the  rule). 

Proof: 

The  rule  PR  follows  from  the  propositional  tautology  (Rule  Rl) 

P  ((til  A  ti2  A  ...  A  ii„)  D  v]  D  [tii  3  (ti2  3  (  •••  (tin  3  v) .  . . ))) 


by  applying  MP  (Rule  R2)  «+  l  times. 


Whenever  we  apply  this  derived  rule  without  explicitly  indicating  the  premise 
I-  (ui  A  «2  A  ...  A  un)  D  v, 

it  means  that  the  premise  is  an  instance  of  a  propositional  tautology. 


O  Insertion  —  Ol 

1-  u 

h  Ou 

Proof: 


1. 

h  u 

giv 

2. 

h  □« 

by 

3. 

h  Oxi 

by  A6  and  MP 

The  first 

theorem  that  we  derive  in  the  system  is: 

Tl.  h  w  D 

O  w 

Proof: 

1. 

h  (□  ~w)  D  ~w 

by 

2. 

h  w  D  (~  □  ~xa) 

by  1 

3. 

htn  3  Ow 

by  A1  and  PH 

The  theorem  implies  (by  MP)  the  derived  rule 


O  Insertion  —  OI 

H  u 

h  Ou 

T2.  I-  Ow  D  Ow 

Proof: 

l.  »-(□  ~u>)  D  (0~m>)  by 


2.  h(~0~ty)  D  (~  D  ~u/) 

3.  h  O  w  D  O  w 


by  Pit 

by  Al,  A4,  and  PH  . 


The  following  three  rules  (and  a  similar  rule  for  the  until  operator  presented  later)  show  that 
all  the  temporal  operators  are  monotonic  in  the  sense  that  an  argument  may  be  replaced  by  a 
weaker  statement  yielding  a  weaker  expression. 


□  □  Rules 

(a) 

h  u  3  v 

h  u  =  v 

(*>)  rr; — 

h  Du  =  D v 

h  □«  O 

Proof  of  (a): 

1.  h  u  D  v 

2.  h  0(u  D  v) 

3.  h  D(u  3  v)  D  (□  u  O  Dv) 
h  Du  D  Du 

Rule  (b)  then  follows  by  propositional  reasoning  by  using  the  tautology 
[(u  D  v)  A  (v  3  «.)]  =  (u  =  v).  . 


given 
by  □! 
by  A2 
by  2,  3  and  MP 


O  O  Rules 

h  u  D  v 

w  — — -- 

1-  O  u  D  O  v 

Proof  of  (a): 

1.  h  u  D  v 

2.  h  ~  v  D  ~w 

3.  h  □  ~  v  D  □  ~u 

4.  h  ~Ot)  D 

5.  I-  Ou  D  Ov 

Rule  (b)  then  follows  by  propositional  reasoning. 


h  u  =  v 
h  O  a  =  O  v 


given 
by  PR 
by  □□ 
by  Al  and  PR 
by  PR 


E 


Proof  of  (a): 


1.  I-  u  D  v 


2.  h  0(u  D  v) 

3.  h  Ou  O  Ov 


Rule  (1))  follows  by  propositional  reasoning. 


Computational  Induction  Rule  Cl 

h  u  D  Ou 
h  ti  D  Dm 


Proof: 


1.  h  u  D  O  u 

2.  h  □(«  D  O  u) 

3.  h  D(u  D  Ou)  D  (u  O  □«) 

4.  h  u  3  Du 


Proof: 


Derived  Computational  Induction  Rule  -  DCI 
hu  D  [v  A  0  u) 
h  u  D  Ov 


t.  h  u  D  (v  A  Ou) 

2.  h  u  D  Ou 

3.  h  it  D  □  it 

4.  h  u  D  v 


5.  h  Ou  D  Ov 


by  OI 
by  A5  and  Ml* 


by  □! 
by  A8 


by  2,  3  and  MI’ 


by  I’ll 
by  Cl 
by  1  and  I’R 
by  □□ 


T4.  I-  Oio  =  O  O  w 

Proof: 

1.  h  ~  O  w  =  □ 

2.  h  D~w;  =  □□•-'to 

3.  (-  Q~Ow  HH  □□ 

4.  h  □~Oi»  =  ~OOw 

5.  h~Ou)  =  ~OOw 


6.  h  Ow  e  OOm 


by  M 
by  T3 
by  1  and  □  □ 
by  A1 


by  1,  2,  3,  4  and  Pit 


by  Pit  j 


Because  of  t  hese  last  two  theorems  we  can  collapse  any  string  of  consecutive  identical  modalities 
such  as  □  . . .  □  or  O  . . .  O  into  a  single  modality  of  the  same  type. 

The  following  theorem  establishes  that  □  is  the  dual  of  O.  Note  that  Al  states  that  O  is  the 
dual  of  □,  i.c.,  Oui  = 


T5.  h(0~w)  =  (~C]w) 

Proof: 

I.  h  (~  ~  w)  =  w  by  PT 
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2.  =  Du; 

3.  |-(~<>~u/)  =  Dty 

4.  I-  (O  ~w)  =  (~  □  w) 


by  □□ 

by  A1  and  I’ll 


by  I’ll 

T6.  D(wi  3  wi)  3  (Otwi  3  Oa»2) 

Proof: 

1.  h  (i«i  3  W2)  ==  (~W2  3  ~W( )  by  I’T 

2.  I-  D(u;i  3  W2 )  =  □(~t02  3  by  □□ 

3.  hd(  ~U>2  3  ~t«|)  3  (□  ~t/>2  3  □  ~^i)  by  A2 

4.  h(D~w2  3  □  ~iw1)  =  (~Ou>2  3  ~Ott|)  by  At  and  I'R 

5.  I-  (~  O  W2  3  ~  O  wi )  =  (Oiwi  3  OW2)  by  PT 

6.  I-  □(i«i  3  t«2)  3  (Oiwi  3  OW2)  by  2,  3,  4,  5  and  I’R  j 

The  following  theorems  show  the  interaction  between  the  temporal  and  the  boolean  operators. 

T7.  h  □(«;:  A  te2)  =  (D^i  A  [Z]u>2) 


Proof: 

1. 

h  («>|  A  W2)  3  W\ 

by  PT 

2. 

h  D(wi  A  W2)  3  Qw\ 

by  □□ 

3. 

h  (wt  A  W2)  3  W2 

by  PT 

4. 

1-  D(iwi  A  tw2)  3  □  W2 

by  □□ 

5. 

h  n(r«i  A  tu2)  3  (D«;i  A  Clu/2) 

by  2,  4  and  PIl 

6. 

h  W|  3  (w2  3  w\  A  te2) 

by  PT 

7. 

h  Cl«/i  3  D(u;2  3  (toj  A  W2)) 

by  □□ 

8. 

1-  □  (w2  3  (wi  A  W2))  ^  (□  W2  3  D(u)i  A  w2)) 

by  A2 

9. 

l-  diei  3  (nw;2  3  D(«;i  A  w;2)) 

by  7,  8  and  I’R 

10. 

H  (Qiwi  A  □  u>2 )  3  □(u>j  A  w;2) 

by  I’ll 
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11.  h  [U(wi  A  w2)  =  (Dioi  A  II]u;2) 


by  5,  10  and  PR 


P 


E 


j 


T8.  h  <0>(wi  V  w2)  =  (0»i  V  O  w2) 

Proof: 


1.  I-  V  w2)  =  □(~tt>i  A  ~w2) 

2.  h  □(  ~toi  A  ~w 2)  =  (C]~t«i  A  □  r^/  w2) 

3.  H  (□  /■v  i«i  a  n~w2)  r~]  j  v  ~  n  ~ty2) 

4.  HD  ^(w[  V  W2)  =  ~(~  □  /vy  wt  v  ~n~w2) 

5.  h~0(t«i  V  te2)  =  ~(Ou>i  V  O  w2) 

6.  1-  O(i0[  V  to2)  =  (Oti)|  V  Ow/2) 


by  PT  and  □□ 


by  17 
by  PR 
by  1,2,  3  and  PR 
by  M  and  PR 


by  PR  j 


Note  that,  because  of  the  universal  character  of  □  it  can  be  distributed  over  A  (Theorem  T7), 
while  <>,  which  is  of  existential  character  can  be  distributed  over  V  (Theorem  T8).  Next,  we  show 
that  interchanging  a  temporal  operator  with  a  boolean  operator  of  the  opposite  character  yields 
implication  in  one  direction  oidy;  the  implication  is  not  necessarily  true  in  the  other  direction. 


T9.  I-  (Dioi  V  \3w2)  3  [H(it;i  V  %u2) 

Proof: 

1.  1-  □  W\  3  □(«;,  V  W2) 

2.  h  □  V>2  3  [H(wi  V  W2) 

3.  P  (D^i  V  Ow2)  3  0(tui  V  w2) 


by  PT  and  □  □ 
by  PT  and  □  □ 
by  1 ,  2  and  PR 


T10.  P  0(wt  A  w2)  3  (0)«|  A  Ow2) 

Proof: 

1.  I-  0(iU|  A  u>2)  3  Owi 

2.  I-  0(wi  A  w2)  3  O  w2 

3.  P  0(u>i  A  w2)  3  (Ot0|  A  Ow2) 


by  PT  and  O  O 
by  PT  and  O  O 
by  1,2  and  PR 


I 


Til.  h  (Dwi  A  0®2)  3  0(uq  A  w2) 

Proof: 

1. 

h  10 1  3  {w2  3  (uq  A  w2)) 

by  PT 

2. 

h  Dw  1  3  0(w2  3  (uq  A  w2)') 

by  □□ 

3. 

1-  □(ui2  3  (tU|  A  w2))  3  [Ow2  3 

0(uq  A  w2)) 

by  T6 

4. 

h  \2wy  3  (Ou>2  3  C>(uq  A  w2)) 

by  2,  3  and  Pit 

5. 

h  (Duq  A  Ow2)  3  0(uq  A  w2) 

by  PR 

Next  we  consider  the  commutativity  properties  of  the  next  operator  O.  In  view  of  A4,  O 
is  self-dual  and  can  be  considered  to  be  of  both  existential  and  universal  character.  Indeed  it 
commutes  with  every  other  boolean  or  temporal  operator  as  well  as  with  quantifiers. 

T12.  h  0(uq  A  w2)  =  (Ouq  A  Ow2) 

Proof: 

l. 

h»l  3  (w2  3  (uq  A  w2 )) 

by  PT 

2. 

h  Ouq  3  0(u;2  3  (®i  A  iv2 )) 

by  O  O 

3. 

1-  0(w2  3  (uq  A  W2))  3  (O  W2  3 

0(uq 

A  w2)) 

by  A5 

4. 

h  Ow[  A  (O  w2  3  0(uq  A  W2)) 

by  2,  3  and  Pit 

5. 

1-  (Offii  A  Oiv2)  3  0(uq  A  w2) 

by  Pit 

6. 

1-  (uq  A  w2)  3  uq 

by  PT 

7. 

h  0(uq  A  w2J  3  O  uq 

by  OO 

8. 

1-  (uq  A  w2 )  3  w2 

by  PT 

9. 

b  0(uq  A  w2)  3  0  u>2 

by  O  O 

10. 

b  0(uq  A  w2)  3  (Offli  A  O  u;2) 

by  7,  9  and  PR 

11. 

1-  0(uq  A  UI2)  =  (Ouq  A  OW2) 

by  5,  10  and  PR  j 

TI3.  P  0(uq  V  w2)  =  (Ow|  V  Ou)j) 


Proof: 


1.  p  0(~Wi  A  ~w2)  s  [(0  )  A  (0~itf2)] 

2.  P  A  ~w2)  =  [(~  0  wx)  A  O K/a)] 

3.  P  0~(wj  V  u>2)  =  ((^Oiei)  A  (~  O  twj)) 

4.  P  ~  0(u>t  V  w 2)  =  ~(Oiui  V  O  102) 

5.  P  0(wi  V  w2)  =  (Otti  V  Ou>2) 


by  T 1 2 
by  A4  and  PR 
by  O  O  and  Pit 
by  A4  and  Pit 
by  Pit 


T14.  P  0(wi  3  W2)  =  (Oiwi  3  O  u/2) 

Proof: 

1.  I-  0(~t«i  V  102)  =  (0~w>i)  V  (Ow2) 

2.  P  0(~wi  V  1^2)  =  (~Oi»i)  V  (Ot»2) 

3.  I-  0(w[  3  w2)  =  (0»i  3  OW2) 


by  T13 
by  A4  and  PR 

by  O  O  and  PR  . 

J 


TL5.  P  0{wl  =  w2)  =  (Owi  ==  O W2) 

Proof: 

1.  P  [0(lffi  3  102)  A  0(tW2  3  tl/j)J  =  [(Ow>i  3  Ow2)  A  (Ol«2  3  Owi)] 

by  T14  and  PR 

2.  P  0[(iwi  3  w2)  A  (1//2  3  M()]  =  [(Owi  3  Ow2)  A  (Ow2  3  Owi)| 

by  T12  and  PR 

3.  P  0(wi  =  w2)  =  (Owi  =  O w2)  byOOandPRj 


The  previous  theorems  show  that  the  next  operator,  O,  commutes  with  each  of  the  boolean 
operators.  The  following  two  theorems  establish  commutation  of  O  with  the  temporal  operators 
□  and  O. 


T16.  P  OQw  =  DO w 

Proof: 


1.  p  Ow  3  (10  3  Qw) 


by  PT 
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5.  h  <)□«  3  OODw 

6.  1-0  dry  3  DODw 

7.  hDODiu  =  O  □  ui 


by  3,  A  ami  PR 
by  Cl 

by  1,  6  and  PR  j 


T19.  h  ODOm  =  □  O to 
Proof:  Ry  duality  from  T18. 


Those  last  two  theorems  together  with  T3  and  T'l  =  Dio  and  OOio  =  Ow,  respec¬ 

tively)  give  us  a  normal  prefix  form  for  a  string  of  the  form 


m\m.2  •  ■  ■  Tnk(w), 


where  eaeh  mt-  is  cither  □  or  O.  We  use  first  T2  and  T3  to  collapse  any  substring  of  the  form  □” 
and  On  to  a  single  □  or  O.  What  remains  must  be  a  string  of  alternating  □  and  O.  If  it  contains 
more  than  one  operator  then  it  is  equivalent  by  T18  and  TJ9  to  a  string  with  just  two  operators  — 
the  last  two.  Consequently  any  string  such  as  the  above  must  bo  equivalent  to  one  of  the  following 
four  possibilities: 

Ow,  Ow,  DOwi  or  OEUtw. 

In  the  more  general  case  that  the  string  also  contains  some  occurrences  of  the  next-time 
operator  O,  we  may  use  the  commutation  of  O  with  both  □  and  O  to  obtain  the  four  normal 
forms: 


Ofcdw,  Ok  Ow,  OfcDOw  and  OfcODxa 
for  some  k  >  0. 


T20.  h  □  w  =  ( w  A  O  □  w) 

Proof: 

by  A3 
by  A7 
by  1,  2  and  PR 


1.  h  □  w  D  w 

2.  I-  Ow  D  ODw 

3.  h  □«;  D  (w  A  ODty) 


A.  H  ODiw  3  0(w  A  ODiu) 

5.  h  (w  A  O  □  w)  D  0(w  A  ODta) 


by  OO 
by  PR 


r* 
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w 

f, ' 

L  • 

f; 

k 

k 

¥ 

T:~ 

f.  ■ 


t 


I-  - 

r« 


t  • 

k'.V 

fc 

k"  • 


g.  i-  («;  a  on «;)  d  □(«;  a  on  iff) 

7.  i-  n(tff  a  on  w)  D  n  w 

8.  P  (iff  A  O  n  iff)  3  Oio 

g.  p  n  iff  =  (iff  a  o  n  iff) 


by  Cl 
by  PT  and  □□ 
by  6,  7  and  PH 

by  3,  8  and  I’ll 


T21.  P  O  iff  =  (iff  V  O  O  iff) 

Proof: 

by  T20 
by  A1  and  PR 
by  Ad,  Al,  OO  and  PR 
by  2,  3  and  PR  _ 


1.  I-  d-iff  =  (~iff  A  on  ~to) 

2.  i-  ~ o «>  =  ~(iff  v  -on  —in) 

3.  I-— on— to  =  oow 

4.  H  O  iff  =  (iff  V  O  O  iff) 


Theorems  T20  and  T21  give  a  fixpoint  characterization  or  the  n  and  O  operators  respectively. 
They  <  ach  give  an  equation  using  only  boolean  operators,  the  formula  iff  and  the  operator  O.  The 
solutions  to  these  equations  arc  Hra  and  O  iu  respectively.  This  shows  that  in  some  sense  O  is  the 
most  basic  operator  since  the  other  operators  may  be  defined  by  means  of  fixpoint  equations  using 
O.  Axiom  AG  similarly  characterizes  the  U  operator  by  a  fixpoint  equation. 


T22.  h  (iff  A  O— iff)  3  0(iw  A  O— iff). 


This  is  the  dual  of  the  “computational  induction"  axiom  A8.  It  states  that  if  w  is  true  now 
and  is  false  sometime  in  the  future,  then  there  exists  some  instant  such  that  w  is  true  at  that 
instant  and  false  at  the  next. 

Proof: 


1.  P  d(lff  3  O  iff)  3  (iff  3  Cliff) 

2.  p  —(iff  3  Cliff)  3  —  d(lff  3  Olff) 

3.  p  (iff  A  —  diu)  3  O  — (iff  3  O  iff) 

4.  h  O  — (iff  3  Olff)  =  0(lff  A  —  Olff) 

5.  p(tff  A  —  □«;)  3  0(iff  A  —Oiff) 

6.  I-  (in  A  O  —  iff)  3  0(iff  A  O— iff) 


by  A8 
by  PR 
by  T5  and  PR 
by  PT  and  O  <> 
by  3,  4  and  PR 


by  T5,  A 4  and  PR 


The  following  derived  rules  correspond  to  proof  rules  existing  in  most  axiomatic  verification 
systems: 


Consequence  Rules 
□Q  rule 


Proof  of  OQ: 

1.  h  Ml  D  llj 

2.  h  ?i2  3  O  *>1 
3  h  It]  3  V2 

A.  h  O  V[  3  O  V2 
5.  h  U 1  3  O  V2 


OQ  rule 


OQ  rule 


u  U\  3  u2  h  «!  3  Uj  h  ti|  3  U2 

r  7i2  3  □  V\  h  «2  3  O  i>i  h  3  O  i»l 

I-  til  3  tt-2  h  in  3  d2  h  ill  3  1)2 

I-  til  3  UV2  h  «i  3  O  V2  I-  tt)  3  0»2 


given 
given 
given 
by  3  and  O  O 
by  1,2,4  and  I  Mi 


The  DQ  and  OQ  rules  are  proved  similarly  by  the  □□-rule  and  O  O-rule,  respectively. 


Concatenation  Rules 

□C  rule 

OC 

rule 

I-  7t  D  □  V 

h  u 

3  O  v 

h  e  3  □ie 

h  v 

3  Ow 

T 

U 

□ 

s 

h  u 

U 

o 

Proof  of  DC: 

1 .  h  u  3  □  v 

2.  I-  v  3  □  w 

3.  I-  □  v  3  □  □  w 

A.  I-  □  v  3  □  w 

5.  h  «  3  Qw 


given 
given 
by  2  and  □  □ 
by  T3  and  Pit 
by  I,  1  and  PR  . 


The  OC  rule  is  proved  similarly  by  the  O  O-rule.  Note  that  I  he  corresponding  OC  rule  does 
not  hold. 


UNTIL  DERIVED  RULES  AND  THEOREMS: 


Proof: 


Right  Until  Introduction  RUI 
h  w  3  O  v 


h  w  3  [t>  V  (u  A  Ou>)] 
H  w  3  (uUu) 


1.  h  w  D  O  v 

2.  h  w  D  [v  V  (u  A  Ottf)] 

3.  (-  [v  V  (u  A  0(wUz>))]  3  (uUv) 

h  ~(uUv)  3  [~1>  A  (~u  V  0~(uUu))] 

5.  h  (u>  A  ~(wUt>)]  3  [~v  A  On  A  0~(?tUu)] 

6.  h  \w  A  ~(uU«)]  3  [~i;  A  O(ii)  A  r^j  (uUv))] 

7.  h  [to  A  ~(uUi;)]  3 


by  A9  and  PR 
by  A1  and  PR 
by  2,  \  and  PR 
by  T12  and  PR 


8.  I-  [w  A  ~(«Uv)]  3  ~m~w 

9.  h  w  3  (uUv) 


by  DCI, 

taking  u  to  be  w  A  ~(wl!v)  and  v  to  be 

by  I ,  T5  and  PR 
by  7,  8  and  PR  . 


The  RUI  rule,  together  with  axioms  A9  and  A10,  can  be  viewed  as  a  characterization  of  the 
construct  as  a  maximal  solution  of  the  two  implications: 

{x  3  \v  V  lu  A  O  x)l 

x  3  O  v 

The  ordering  by  which  tnaximality  is  defined  is  the  ordering  induced  by  defining  false  C  true. 
Axioms  A9  and  A 10  imply  that 

(ttUv)  3  [v  V  (u  A  OuUv)] 

(uUv)  3  Ov 

Thus  they  show  x  -  uUa  to  be  a  solution  of  the  implications  (*).  The  rule  RUI  states  that  any 
other  solution  x  =  w  must  satisfy  w  3  (ullt>)  which  implies  that  whenever  w  is  true  so  is  uUw. 
Interpreted  in  our  ordering  this  is  representable  as  w  C  (?iUy).  Thus  x  =  uUe  is  the  maximal 
solution  to  (♦). 


An  intuitive  explanation  as  to  why  u U v  is  indeed  (lie  maximal  solution  of  (*)  can  be  given  as 
follows: 


Let  w  be  any  proposition  satisfying  (*)  everywhere  in  a  sequence  a  =  s0l  «i,  ....  We  note 
that  (*)  may  have  many  solutions.  In  particular  x  =  false  is  a  trivial  solution.  However  an  obvious 
property  of  every  solution  w  is  that  if  w  is  true  in  some  state  s,,  this  state  must  satisfy  u  and  the 
next  state.  s;+i  must  also  satisfy  w  unless  satisfies  v.  Thus  once  w  is  true  if  can  stop  being  true 
only  in  a  u-statc.  In  view  of  the  second  implication  such  a  u-state  is  guaranteed.  Consequently 
whenever  w  is  true  in  a  state,  «Uw  must  also  be  Lruc  in  that  state. 

heft  Until  Introduction  —  MU 

b  [u  V  (u  A  Otc)]  3  w 

I-  (allv)  3  w 

Proof: 


1. 

b  (v  V  (u  A  O  «>)]  3  w 

given 

2. 

b  uUt>  3  [u  V  (u  A  O(uU^))] 

by  A9  and  PR 

3. 

b  3  [~v  A  (~u  V  0~u>)] 

by  i,  A4  and  HR 

4. 

b  [uUv  A  ~w\  3  [~u  A  u  A  O(uUu)  A  O  ~iw] 

by  2,  3  and  PR 

5. 

b  [wUv  A  ~to]  3  [O(uUw)  A  O  ~u;] 

by  PR 

6. 

b  [uUt>  A  ~w]  3  0(uU«  A  ~w) 

by  T12  and  PR 

7. 

b  [wUw  A  ~to]  3  □(ullti  A  ~u>) 

by  Cl 

8. 

b  [uUo  A  ~w\  3 

by  3  and  PR 

9. 

b  D(uUw  A  3  □~v 

by  □□ 

10. 

b  [uUw  A  ~?.w]  3  ~Ou 

by  7,  9,  A1  and  PR 

tl. 

b  [mUw  A  ~w]  3  Ov 

by  A10  and  PR 

12. 

b  uUu  3  w 

by  10,  11  and  PR  j 

The  LUI  rule,  together  with  axiom  A9,  can  be  viewed  as  a  characterization  of  the  uUv  con¬ 
struct  as  the  minimal  solution  of  the  implication: 

(**)  [v  V  (u  A  Ox)]  3  x 

Axiom  A9  implies  that  x  =  uUv  is  a  solution  of  (**).  The  LUI  rule  states  that  any  other  solution 
of  (♦*),  x  =  w,  is  implied  by  mUv.  This  means  that  whenever  uUfl  is  true  so  is  w,  which  is 
interpretablc  in  our  ordering  as  uUv  C  w.  Thus  wUv  is  the  minimal  of  all  possible  solutions. 

Note  that  (**)  possesses  many  solutions.  In  particular  x  =  true  is  a  trivial  solution.  However, 
the  minimal  solution  is  unique  and  is  given  by  uUv. 


UU  Rules 

1-  til  3  1*2 

h  ti[  =  «2 

(a)  H  Vi  D  v2 

(b)  H  ui  =  02 

1-  tiilloi  3  U2II02 

H  tiilloi  =  U2U02 

Proof  of  (a): 

given 
given 
by  A9 

by  l,  2,  3  and  Pit 
by  LUI 


1.  h  tit  D  u2 

2.  h  Vi  3  v-i 

3.  I-  [V2  V  (ti2  A  0(ti2Uy'2))]  3  ti2U'U2 

4.  h  [vi  V  (til  A  0(ti2Ut>2))]  3  ti2Utt2 

5.  h  tiiUt>i  3  U2UV2 


The  proof  of  part  (b)  follows  from  (a)  by  propositional  reasoning  and  the  symmetric  application 
of  (a),  j 


This  rule  together  with  the  □  O  O  and  OO  rules  show  that  all  the  temporal  operators 
are  monotonic  in  all  their  arguments. 


T23.  1-  (~to)Uto  =  O  to 

Proof: 

1.  1-  (~1o)UtO  3  O  to 

2.  1-  O  to  3  [to  V  O  O  to] 

3.  I-  O  to  3  [to  V  (~to  A  O  O  to)] 

4.  I-  Oto  3  Oto 

5.  h  Oto  3  (~to)Uto 

6.  I-  (~to)Uto  =  Oto 


by  A10 

by  T21  and  I’ll 
by  PR 
by  PT 
by  3,  4  and  RUI 

by  l,  5  and  PR  j 


T24.  I-  (Dtoi  A  Ot02)  3  (to  1  Ut02) 

Proof: 

l.  1-  [□«/(  A  0 102]  3  0»2  by  PR 


m 
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2.  h  A  Omj]  3  [(ifli  A  ODwi)  A  (w 2  V  OOio2)] 


by  I'll,  'l'20  and  T21 


3. 

H  (DiVi  A  Oty2)  3  [ta2  V  (»i  A  OOiai  A  OOu>2)] 

by  I’ll 

1-  (Duii  A  OM2)  3  [?«2  V  (u>i  A  0(Dwi  A  Ou>2))]] 

by  T 1 2  and  I'll 

5. 

h  {□  -Uf  1  A  O  u)2]  3  w  1 11x02 

by  1,1  and  11UI, 

taking  w  to  bo  Dwi  A  O  ti/2,  u  to  be  w\,  and  v  to  be  u>2  j 

T25.  H  (w1  Uto2)Uu;2  =  W1U.W2 

Proof: 

1. 

1-  (?yiUw2)Uiy2  3  \w2  V  W|Ui«2] 

by  A9  and  I'll 

2. 

h  W*2  3  tO|Ultf2 

by  A9  and  I’ll 

3. 

H  (wiUw2)Uw2  3  u>iUto2 

by  1,  2  and  I’ll 

h  iy[Uiy2  3  O  w2 

by  A10 

5. 

h  w\  Uw2  3  [w2  v  (wl  A  O(wiUuj))] 

by  A9  and  I’ll 

6. 

h  iy[Uw2  3  [w2  V  (w|Um2  a  0(wiliw2))] 

by  I’ll 

7. 

h  W[llw2  3  (w;iUw^2)Uu;2 

by  4,  6  and  IIU I 

8. 

1-  (w»i  Ultf2)Uw2  =  WiUu/2 

by  3,  7  and  I’R  j 

T26.  I"  M»lUu>2  S  WiU(w[Uw2) 

Proof: 

1.  I-  W2  3  wtUi02  by  A9  and  I’ll 

2.  h  iwiUu;2  3  waU(w|Uiw2)  by  UU 

3.  I- WiU(wiUw2)  3  (wiUu>2  V  [wi  A  0(u>|  U(wi  Uit>2))]]  by  A9  and  PR 

4.  I-  WiUfwiUwg)  3  {w2  V  A  0(u>iUw2)]  V  [wi  A  0((y;(  U(w[Un;2))]} 

by  A!)  and  PR 

5.  h  W|U(w(Uw2)  3  {w‘i  V  \w\  A  0(w>iU«'2  V  W\ U(t«i Uw2))]}  by  TI 3  and  I'll 

6.  H  [w;jUiy2  V  iui  U(wi  Uw2)l  3  W|U(w|U»y2)  by  2  and  I'll 
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7.  I-  W|U(l0lU'ltf2)  3  {l02  V  [wi  A  0(wiU(w)iUw^2))]} 


8.  P  will(wiUw2)  3  0(wiUu;2) 

9.  h  W|Uw2  D  O  w2 

10.  P  0(wiUw>2)  3 

11.  P  Wi  U(u>l  Ultf2)  3  O  102 

12.  P  l0lU(wiUt02)  3  tOlUt02 

taking  to  to 

15.  h  W\Uw2  =  toiU(wiUu/2) 


by  6  witli  O  O,  5,  and  Pit 
by  AI0 
by  A  10 
by  O  O 
by  8,  10,  Tl  and  I’ll 

by  11,7  and  RUI, 
iO|  U(?.oi  U102),  u  to  bo  W\ ,  and  v  to  bo  w 2 

by  2,  1 2  and  I’ll  _ 


Proof: 

W 


(b) 


U  Insertion  Ul 


P  u\Xv 

for  an  arbitrary  u 


(*>) 


P  u,  h  On 
P  uUd 


1.  P  v 

2.  P  v  3  «Uo 

3.  P  uUw 


givon 
by  A9  and  I'll 
by  1,  2  and  I’ll 


1.  P  u 
2  P  Ov 

3.  P  Du 

4.  P  (On  A  Ov)  3  uUv 

5.  P  uliv 


givon 
givon 
by  I  and  □! 
by  T24 

by  2,  3,  1  and  Pit 


U  Concatenation  UC 

P  Vi  3  ?tU«2 
P  v2  3  ?iU»3 
P  V\  3  11U.U3 


Proof: 


1.  I-  t>l  3  'ullt>2 

2.  I-  v2  3  ullt)3 

3.  I-  uU^2  3)  wll(uU V3) 

4.  hvi  D  uU(iiUw3) 

5.  I-D|  D  uU«3 


by 


given 
given 
by  UU 
by  I,  3  and  PR 
T2fi  and  i  Mi 


T27.  (-  (Qw, 

Proof: 

1. 

2. 

3. 

1. 

5. 

6. 

7. 

8. 

9. 

10. 


A  w2Uu>3]  3  (mi  A  iy2)U(t0i  A  w3) 


H  W'jUit/j  3  O  w3  by  A10 

h  [Die,  A  W2U1//3]  3  (Dwt  A  Ow3)  by  PR 

h  [Dwi  A  waUf's)  3  0( u>[  A  w3)  by  'I'll  and  PR 

I-  M'2  uw;»  3  [?/)3  V  (vi2  A  Oolites))]  by  A9  and  PR 

h  [□«,,  A  w2  li. »/.* 3 1  3  ((□  W\  A  w3)  V  (□?«!  A  a»2  A  O^WgU^a))]  by  PR 

H  (Qwi  A  w3 )  3  (wi  A  u’3)  by  A  >  and  PR 

I-  [Dio  |  A  ;y2  A  0(w2U««:j)]  3  |w|  A  w2  A  OChei  A  0(w<jUu- » '! 

by  T20  and  PR 

I-  [□?«!  A  w<2  A  0(w2*dw3)]  3  [(wi  A  w2)  A  0(Dw|  A  w^Ut^a)] 

by  T 1 2  and  PR 

h  (Dwi  A  wajUws]  3  {(«)|  A  w:))  V  [(u>i  A  te2)  A  0(m?«i  A  W2U.W3)]} 

by  5,  0,  8  and  PR 


h  [□»,  A  W2UW3]  3  (m|  A  w2)U(w|  A  w3) 


by  3,  9  and  RUI 


The  next,  theorem  displays  the  commutation  relation  between  the  O  and  the  U  operators. 

T28.  I-  ( O w  1  )ll (O  w2)  =  0((/;1Uw2) 

Proof: 


1.  I-  W  |  U V>2  3  [w2  V  (w|  A  O(t0|  Uw2))| 


bv  A  9 


2.  h  0(/ti|Uwa)  =3  [O  to 2  v  (O  w i  A  O  0(uitUw'j))j 


3.  h  [O  »2  V  (Owi  A  O  0(uriliur2))j  3  O(t«iUt02) 

4.  I-  jOwi)U(Ow2)  3  0(w[Uw2)  bi 


by  TI2,  T13,  OO  and  I’R 
by  |»lt 


by  LUI,  taking  w  to  bn  wt  U m-i 


5.  H  1«iU(«2  3  <>W2 

6.  h  0(i«iUty2)  3  OO-wa 

7.  h  0(ltflU«/2)  3  OOffl‘2 

8.  h  0(w[Uw2)  3  {O  W2  V  [Oiwi  A  0  0(ffl,Ut»a)|} 


by  A 10 
by  OO 
by  T!7  and  I’R 
by  2  and  I'R 


9.  h  0(wiU'W2)  3  (Owi)U(Oti>2)  by  7,  8  and  RUF, 

taking  w  to  be  0(i«i  Uu^),  u  to  be  Ow\,  and  v  to  be  O  ui 2 


10.  I-  (O  1«i)U(0  W-2.)  —  O(t0illW2) 


by  4,  9  and  I'R 


Having  classified  □  as  a  universal  operator,  O  as  an  existential  operator  and  O  as  being  both 
universal  and  existential,  we  observe  that  U  is  universal  with  respect  to  its  first  argument  arid 
existential  with  respect  to  its  second  argument.  This  yields  the  commutation  properties  listed  in 
T29  and  T30. 


T29.  I-  (toi  A  w2)Uw»  =  [wiUw>3  A  W2UW3] 


Proof: 


1.  I-  (nr  1  A  W2)  3  W| 

2.  b  («i|  Aw-iJUwj  3  KJiUwa 

3.  b  (u»|  A  W2)Ui»3  3  W2UW3 

4.  b  (»«|  A  u;2)Uw3  3  [wiU«/3  A  U  1^3] 

5.  I-  W|Uu>3  3  O  103 

6.  h  (w>i  U«>3  A  W2IIW3]  3  Omj 

7.  b*  m  1  U 11) 2  3  {v>2  V  [w|  A  0(?.y  1  Uw/3)]} 

8.  h  »2 U W;i  3  (in 3  V  [11)2  A  0(w2Uw3)]} 


by  I'T 
by  UU 
similarly 
by  2,  3  and  I’R 

by  A  10 
by  I’R 
by  A9  and  I’R 
by  A9  and  I’R 


9.  I-  [W1UW3  A  WvllW;|]  3  [v>2  V  [()/l|  A  W2)  A  O(l0|Uiy3  A  W2UW3)]} 

by  7,  8,  Tl 2  and  I’R 

10.  b-  [ifi|Uti>3  A  i/i2Ui«3)  3  (ii>)  A  i#2)Uwj  by  6,  9  and  RUI, 

taking  in  to  be  (w \  U 103)  A  (w2U m3),  11  to  be  W\  A  w2l  and  v  to  be  103 
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11.  h  (t0(  A  ui2)Ui«i  =  [wiUwa  A  W2UW3] 


by  4,  10  ami  I’ll 


T30.  1-  U)iU(w2  V  wi)  =  [l0lUl02  V  wl  U  W3] 


Proof: 


1.  hlflj  3  (iu2  V  ^3) 

2.  h  W»lU^2  3  70iU(t02  V  703) 

3.  1-  tOx  Uti?3  3  lUiU(tU2  v  W3) 

4.  1-  [lUiUw2  V  101  U-lOs]  3  70|U(t02  V  7U3) 


by  PT 

by  UU 
similarly 
by  2,  3  and  Pit 


5.  I-  W|U('W‘2  VW3)  3  {(w2  V  703)  V  [-tot  A  0(wiU(«)2  V  W3))]}  by  Al)  and  Pit 

6.  h  [w2  V  (u>|  A  0(w|Uw<2))]  3  ?tfiUu>2  by  A9  and  Pit 

7.  h  ~(«)iUw/2)  3  {~W2  A  |~W|  V  O ~(w;i IU02)]}  by  Ad  and  Pit 

8.  I - («/iUti>3)  3  {~u>3  A  [~w\  V  O ~(tuiU«;3)]}  similarly 

9.  h  [u>tU(w2  V  w>3)  A  ~(?0i  U702)  A  ~(tO|  Uto;l)]  3 

\~w2  A  ~703  A  Wi  A  0(w]U(w2  V  w3))  A  O~(70iUt02)  A  O  ~(wt  U?«3)] 

by  5,  7,  8  and  Pit 

10.  h  [iO(U(?«2  V  703)  A  ~(w|U-u;2)  A  ~(xwIUiw3)]  3 

{~(u>2  V  703)  A  0[?UiU{w2  V  w3)  A  ~(wiUm2)  A  ~(?«i Uw3)]} 

by  P 1 2  and  Pit 

11.  h  [tffiU(tt>2  V  103)  A  ~(w(Ut02)  A  ~(?a» x U?oa )]  7)  □  -(702  V  103)  by  DC1 


11.  h  [wiU(«;2  V  iy3)  A  ~(«>|Uwa)  A  ~(?0iU?03)]  3  □  -(702  V  103)  by  DC1 

12.  h  wi  U(t02  V  <03)  3  0(v>2  V  703)  by  A10 

13.  h  70i  11(7773  V  7/73)  3  ~[~(o7iU702)  A  ~(?Z7 1 U 7/73 )]  by  11,  12,  Al  and  Pit 

14.  I-  70| U(t02  V  703)  3  [701U702  V  70iUt03]  by  I’ll 


15.  h  70]  11(702  V  703)  =  [70 1 IL 7/7 2  V  7i7i  U703] 


by  4,  14  and  Pit 


T31.  h  (C>701  V  Ot772]  3  [(~07|)Ut02  V  (~70j)Ut0i] 

Proof: 


I.  1-  [Ot0i  V  O702]  3  O(i0i  V  w2) 


by  T8  and  Pit 
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2.  I-  0(l«i  V  W2 )  3  (~(w!  V  ffl2p(li/|  V  tt2) 

3.  h  0(u>i  V  W2)  3  (~wi  A  ~W'2)U(iui  V  W2) 

4.  h  0(u>[  V  W2)  3  [(~u;l  A  ~ty2)Uwi  V  (~w>i  A  ~W2)UiW2] 

5.  1-  (~t«i  A  ~W2)llwi  3  (~-u;'2)Ut«[ 

6.  I-  (~u>i  A  ~W2)Ui«2  3  (~u/i)Uu>2 

7.  h  0[wi  V  W2)  3  [(~i»i)Ut«2  V  (~?i^2)Uiyj) 

8.  h  (Owi  V  Ott2)  3  [(~«ii)Uu)2  V  (~w2)U?i>i] 


by  T23  ami  l“R 
by  UU  and  I’ll 
by  T30  and  I’li 
by  UU  and  Hi 
by  UU  and  I’ll 
by  4,  5,  6  and  I’ll 
by  1,  7  and  Hi  _ 


The  following  two  theorems  display  the  one  way  implication  resulting  from  the  interchange  of 
the  U  with  a  boolean  operator  of  the  opposite  character. 


T32.  h  wiU(u>2  A  w-i)  3  [t«|Ui»2  A  te[1 


Proof: 


1.  h  (u>2  A  V13)  3  w2 

2.  I-  1/>I  U(tt>2  A  W3)  3  W1UW2 

3.  h  i«i U(t»a  A  10  3)  3  W1UW3 

4.  f-  w\ U(ie2  A  W3)  3  [W1U1W2  A  W1UW3] 


by  PT 
by  UU  and  Pli 
similarly 
by  2,  3  and  Pli 


T33.  P[u>iUw3  V  W2UW3]  3  (wi  V  w2)Uw3 


Proof: 


1.  H  W[  3  (wi  V  W2) 

2.  I-  u;|Ute3  3  (wt  V  w2)U,3 

3.  h  w 2  3  (u>\  V  w2) 

4.  I-  W2UW3  D  (ieiViW2)U3 

5.  h  [u>1U  l«3  V  W2UW3]  3  (wi  V  W2)U»3 


by  PT 
by  UU 
by  PT 
by  UU 
by  2,  4  and  Pli  . 


T34.  h  (t»|  3  i»2)Ut«3  3  [u>|U««3  3  w2U W3] 


1.  b  (u>i  3  ti>2)Uw>3  3  <^w3 

2.  b  [(tw j  3  io2)Uu>3  A  iuiUu>3]  3 


by  A 10 


{u>3  V  [(i«i  3  u>2)  A  O((ioi  3  W2)\lw3)  A  wt  A  0(u;iUw3))} 

by  A9  and  I’ll 


3.  b  [(twi  3  iy2)Uu>3  A  xui  U.W3I  3 

{w 3  V  [W2  A  0((u>i  3  1^2)11^3)  A  0(wiUtU3)]} 

4.  b  [(wi  3  ii/2)Uu?3  A  w ( 11103)  3 

{w2  V  [v)2  A  0({w\  3  w2)Uw3  A  W\  UW3)]} 


by  PR 


by  'I' 1 2  and  PR 


5.  b  [(wi  3  u>2)Uu>3  A  w  1 11^3]  3  wzMw-i  by  1,  4  and  RUI, 

taking  w  to  he  ((u/i  3  u^Uiws)  A  (u?|UtW3),  u  to  be  iw2,  and  v  to  be  w3 


6.  b  (wi  3  w^lU^s  3  [wj  Uii>3  3  liiw.-t] 


by  PR 


T35.  b  [wiUl«2  A  )U.1i^3 ]  3  10[U.W3 


Proof: 


1.  b  (~w2)UtW3  3  O  w3 

2.  b  [toiUiy2  A  (~iw2)Uw3|  3  O1V3 

3.  b  W|Uu>2  3  {1U2  V  [w>|  A  0(?«iUw2)]} 

4.  b  (~io2)U.W3  3  {ie3  V  [~u>2  A  O ((~7,t7a)U W3))} 

5.  b  [wiUiy2  A  (~W2)Uw3j  3 

{w3  V  [u/|  A  ~W2  A  0(tWlUw2)  A  0((~W2)Uty3)]} 

6.  b  [willio*  A  (~w2)Uiy3j  3 

{^3  V  [tU)  A  0(n;|  Ultf2  A  (~TIJ2)Um>3))} 

7.  b(W|U?y2  A  (~7X)2)Uw3]  3  U/|liW3 


by  A 10 
by  PR 
by  A9  and  PR 
by  A9  and  PR 


by  3,  4  and  PR 


by  T12  and  PR 
by  2,  6  and  RUI  . 


T36.  b  7y  1  U(w2  A  w3)  3  (w!U7y2)Uw3 


Proof: 


I.  b  W|  U(u/2  A  W3)  3  0(w2  A  w3) 


by  A10 


3l 


2. 

3. 

4. 

5. 


6. 

7. 

8. 
9. 


P  (w2  A  Wi)  3  w3 

by  PT 

P  0(^2  A  w3)  3  Offl 3 

by  OO 

P  W{  U(w2  A  w3)  3  Ow3 

by  1,  3  and  PR 

h  wiU{tu2  Aw3)  3  {{w2  A  W3)  V  [«)|  A  0(tyill(iC2  Area))]} 

by  A9  and  PR 

p  (w2  A  W3)  3  w2 

by  PT 

W[\X(w2  Aw3)  3  u;iUtU2 

by  UU 

P  W)U(ti)2  Aw;!)  3  {u>3  V  [u;iU?e2  A  0(uq U(u>2  A  ^3))]} 

by  5,  7  and  PR 

P  «>iU(w2  A103)  3  (t^Uu^Uu^  by  4,  8  and  RUI  . 

The  following  two  theorems  are  referred  to  as  “collapsing”  theorems,  since  they  may  he  used 
to  derive  a  consequence  of  smaller  nesting  depth  from  a  nested  until  expression. 


T37.  I-  (w)iUw2)Uu;3  3  (uq  V  t02)Uu>3 

Proof: 

1.  P  W,VlW2  3  V  (w  1  A  0(tWiU«/2))] 

2.  P  w i U v>2  3  (tOi  V  w2) 

3.  1-  (u;iUu>2)Uu>3  3  (wiVW2)UtW3 


by  A9  and  I’ll 
by  PR 
by  UU  j 


T38.  p  w\  UJwaUwa)  3  V  usaJUwa 

Proof: 

1.  P  wiUfwgUws)  d  0(w2\iw3)  l>y  A10 

2.  P  w<2 Uws  3  Owj  by  A 10 

3.  P  W|U(«>2UW3)  3  O  w2  by  1,2  and  OC 

4.  h  W|U(i»2U«;3)  3  {w2 UW3  V  [?a»i  A  O (rt; t U U W3 )) ] }  by  A9  and  PR 

5.  P  W| U(w2Uw3)  3  {u>3  V  [w2  A  0(w2Uu>3)]  V  (wi  A  0(wiU(i»2U«;3))]} 

by  A9  and  PR 

6.  P  wgllwg  3  ?/»|  ll( i/>2 blrr/s)  by  A9  and  PR 

7.  P  (m2  A  0(ia»2 U.  )]  3  [(w;i  V  W2)  A  O (»« 1  U( U  w»))]  by  O  O  and  PR 
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hy  PR 


8.  h  [wi  A  0(i«i  U(wall  w;j))]  3  [(wi  V  w2)  A  0(wi  Ufw’aU W3))] 

9.  h  iwiU(w-2Uw:j)  7)  {ws  V  [(wi  V  w»)  A  0(u>i Ufw-iU^a))]} 

by  5,  7,  8  and  I’li 

10.  I-  W|U(ttf2Uw3)  3  (to,  V  to2)U'W3  by  3,  9,  and  ItUI  - 


A  very  useful  derived  operator  is  the  unless  operator  uilo  being  defined  by 
uilo  =  [□«  V  (aUv)|. 


The  unless  operator  does  not  insist  on  the  fact  that  v  actually  happens  but  it  requires  that  u 
holds  until  such  an  occurrence.  If  v  never  happens  u  must  hold  forever.  This  operator  is  related 
to  the  binary  “as  long  as”  operator  pOq,  reading  “ q  as  long  as  p,"  introduced  by  Lamport  in  [1/2]. 
The  meaning  of  this  construct  is  that  q  holds  continuously  as  long  as  p  is  continuously  maintained. 
We  may  express  pOq  by: 

pOq  =  q  it (~p). 


Following  is  a  rule  for  establishing  the  unless  operator. 


Proof: 


Unless  Introduction  ill 

h  ?t  3  0(u  V  v) 

h  it  3  (ti  il  v) 


1. 

h  U  3 

> 

O 

given 

2. 

h  u  3 

[O  u  V  0 v] 

by  T 1 3 

3. 

h  ~(uU 

v)  3  {~u  A  [~u 

V  0~(aUu)]} 

by  A9,  T4  and  I’ll 

4. 

1-  0~(wUv)  3  O  ~v 

by  O  0  and  I’ll 

5. 

T 

IT 

> 

~(«Uw)j  3  [u  A 

0  ~(aUu)] 

by  3  and  I’ll 

6. 

T 

e» 

> 

~(«U'«)|  3  [«  A 

0  ~(?iU  i>)  A  ~Ov] 

by  4,  5,  A 1  and  I’ll 

7. 

h  (u  A 

~(uUu)]  3  [m  A 

Ou  A  0~(uUa)j 

by  2,  6  and  PR 

8. 

T 

TT 

> 

~(uUu)]  3  [m  A 

0(tt  A  ~(iiUv))] 

by  T7  and  PR 

9. 

h  (u  A 

~(wUt»)]  3  □« 

by  l)CI 

10. 

T 

-A 

e— 

u 

(□  m  V  (ullv)) 

by  PR 

II.  I-  u  D  (ulln) 


l>y 


dolinil ion  of  U 


J 


This  concludes  the  description  of  I  hr  propositional  section  of  general  temporal  logic.  The 
axiomatic  system  presented  for  this  section  of  the  logic  is  known  to  he  complete,  and  the  validity 
problem  decidable  ( [1  *S j ).  Consequently,  there  exists  a  procedure  that,  tests  each  formula  in  PTL 
(Propositional  Temporal  Logic)  for  validity,  and  constructs  a  proof  in  the  presented  system  if  the 
statement  is  valid.  The  procedure  given  in  [PS]  takes  exponential  time  in  the  size  of  the  tested 
formula. 


4.  QUANTIFIERS 

Since  we  intend  to  use  terms  and  predicates  in  our  reasoning  we  have  to  extend  our  system  to 
admit  individual  variables,  terms  and  quant  ideation.  Let.  us  consider  additional  axioms  involving 
quantifiers  and  their  interaction  with  the  temporal  operators. 


AXIOMS: 


All.  I-  !x./e  -  Vx.  ~  w 

A 12.  h  (Vx.u>(x))  3  ui[t) 

where  t  is  any  term  globally  free-  for  x  in  w 

ALL  I-  (Vx.  O  w)  D  (OVx.w) 


In  these  axioms,  x  is  any  global  individual  variable.  Axioms  All  and  A12  art'  the  usual 
predicate'  calculus  axioms:  All  delines  a  as  the  dual  of  V  and  AI2  is  the  instantiation  axiom. 
Axiom  API  is  the  Bureau  formula  for  the  O  operator;  it,  states  that  since  both  operators  V  and  O 
have  universal  characteristics  they  commute.  We  use  the  substitution  notation  w(x)  replaced  by 
n’[t)  to  denote  the  substitution  of  the  term  t  for  all  free  occurrences  of  x  in  w. 

A  term  t  is  said  to  be  globally  free  for  x  in  w  if  substitution  of  t  for  all  free  occurrences  of 
x  in  w:  (a)  does  not  create  new  bound  occurrences  of  (global)  variables,  and  (b)  does  not  create 
new  occurrences  of  local  variables  in  the  scope  of  a  temporal  operator.  A  trivial  case:  if  t  is  x 
itself,  then  t  is  free  for  x.  Condition  (a)  is  the  one  stipulated  in  classical  predicate  logic.  Condition 
(b)  is  special  to  modal  and  temporal  logics  with  quantification.  Condition  (b)  is  essential  for  A  12, 
because  without,  it  we  could  derive  the  formula 

(Vx.  0(x  <  y))  3  0(y  <  y), 
which  is  not  valid  for  a  local  variable  y. 


An  additional  rule  of  inference  is: 


INFERENCE  RULE: 


I  - 


I 

DERIVED  RULES  AND  THEOREMS: 

From  It4  we  can  obtain  the  derived  rule 

Instantiation  Ruin  INST 

I-  w(x) 

I-  w(t) 

^  where  t  is  any  term  globally  free  for  x  in  w. 

Proof: 

1.  h  iu(x) 

2.  h  Vz.w(z) 

3.  h  (Vx.w(x))  D  w(t) 

4.  h  w(t) 


given 

by  VI  (taking  u  to  be  true ) 
by  A 1 2 
by  2,  3  and  Ml*  j 


111.  V  Insertion  Vf 

h  u  D  v 

h  u  D  Vz.v 
where  x  is  not  free  in  u. 


The  following  are  the  duals  of  AI2  and  It  I  for  the  existential  <piantificr  3: 


T39.  I-  w[t)  D  iix.w(x) 

where  t  is  any  term  globally  free  for  z  in  w. 

Proof: 

1.  I-  (Vz. u/(x))  3  ~u»(f) 

2.  I-  (~3z.?«(x))  D 

3.  I-  w(t)  ~j  ]x.w{x) 


by  A 1 2 
by  All  and  Pit 
by  Pit 


Note  again  that  we  need  here  the  additional  condition  (b)  ensuring  that  the  substitution  of  t 
for  x  in  w  does  not  ereale  new  occurrences  of  local  variables  in  the  scope  of  a  modal  operator. 
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3  Insertion  31 


h  u  3  v 


h  3x.it  3  v 
where  x  is  not  free  in  v 


Proof: 


1 .  I-  u  3  v 


2.  1-  ~v  3  ~u 


3.  I-  ~n  3  Vx.  ~  u 


4.  1-  ~u  3  '-'di.it 


5.  h  3 1. It  3  v 


by  Pit 


by  All  sind  Pit 
by  Pit  , 


W  Hales 


I-  u  3  v 
h  Vx.u  3  Vx.u 


h  u  —  v 
|-  Vx.u  =  Vx.v 


Proof  of  (a): 


1 .  I-  Vx.u  3  u 

2.  H  it  3  v 


3.  h  Vx.tt  3  v 


4.  h  Vx.u  3  Vx.u 


by  A  1 2 


by  Pit 


by  VI,  since  Vx.u  contains  no  free  occurrences  of  x. 


Utile  (b)  then  follows  by  propositional  reasoning. 


33  Rules 


I-  u  3  v 
h  3x.u  3  3 1. ii 


I-  it  =  v 

h  3x.it  =  3i.ii 


Proof  of  (a): 


1 .  h  11  3  ii 

2.  (-  (~n)  3  (~tt) 

3.  h  (Vx.  ~  n)  3  (Vx.  ~  it) 

4.  I-  (~3i.ii)  3  (~  lx.it) 


by  Pit 
by  W 
by  All  an«l  PH 


5.  F  3i.u  D  3x.v 


by  I’lt 


Rule  (b)  then  follows  by  propositional  reasoning. 


J 


From  the  axiom  Al, 

F  ~  O  w  =  □  ~w, 
we  can  clearly  deduce  the  formula 

F  ~(tw  V  □  =  ~(w  V  ~Oto) 

by  propositional  reasoning  (PR).  However,  we  cannot  deduce  by  PR  the  formula 
□  □  ~w  =  Q~Ow 


or 


Vi.  -  Vi.  ~Ot«. 

Here,  the  replacement  of  by  ~  Ow  is  under  the  scope  of  the  operator  □  and  the  quantifier 

Vi,  respectively,  and  thus  cannot  be  justified  by  propositional  reasoning  alone.  For  this  reason  we 
need  the  following  equivalence  rule. 

Equivalence  Rule  —  ER 

Let  w'  be  the  result  of  replacing  an  occurrence  of  a  subfor- 
mula  v\  in  w  by  v?, .  Then 

F  v\  =  v2 

F  w  =  w' 


Proof: 

Ry  induction  on  the  structure  of  w. 

Case-,  w  is  v\.  Then  w'  is  v 2  and  F  vy  =  v-i  implies  F  w  =  w'. 

Case :  w  is  of  the  form  ~u.  We  assume  that  F  vj  =  t>2  implies  F  u  =  Then  by  propositional 
reasoning  F  =  ~w',  i.e.,  F  w  ~  w'. 

Case:  w  is  of  the  form  ui  V  «2 •  Wc  assume  that  if  F  tq  =  t>2,  then  F  U|  =  u\  and  F  «2  ^  h'2. 
Then  by  propositional  reasoning  F  (uj  V  U2)  h:  (u,  V  u2),  i.e.,  \-  w  =  w'. 

The  cases  where  w  is  of  forms  uj  A  u2,  ut  D  «2»  etc.  are  similar. 

Case:  w  is  of  the  form  Du.  We  assume  that  if  F  V|  =  t>2,  then  F  u  u' .  Ry  the  □□-rule, 

F  □«  =  □  i.e.,  F  w  r=  w1. 
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The  cases  in  which  w  is  of  Forms  Oa,  O  u,  and  u(  Uw-j  arc  treated  similarly,  using  the  O  O- 
rule,  the  O  O-rulc,  and  the  UU-rule,  respectively. 

Case:  w  is  of  the  form  Vx.u.  We  assume  that  if  h  «i  s  v2,  then  b  u  =  u'.  Then  by  the  W-rule, 
b  Vx.u  >  Vx.u',  i.e.,  b  w  =  w'. 

The  case  where  w  is  of  form  3x.u  is  proved  similarly  by  the  33-rule.  . 


Deduction  Rule  DEI) 

lUi  h  W2 

I-  (□r«[)  D  w-i 

where  the  VI  rule  (Rule  R4)  is  never  applied  to  a  free  variable 
of  w  i  in  the  derivation  of  iot  b  w2- 


That  is,  if  unucr  the  assumption  w\  we  can  derive  h  w2 ,  where  rule  1M  is  never  applied  to  a  free 
variable  of  w\,  then  there  exists  a  proof  establishing  I-  (Owi)  D  W2-  We  dearly  must  also  be 
careful  in  using  any  theorem  or  derived  rule  such  as  the  W  or  ER  rule  that  was  established  using 
the  VI  rule. 

The  additional  □  operator  in  the  conclusion  is  obviously  necessary  since  in  general  iX|  h  Wq 
docs  not  imply  h  w\  3  v>2 ■  Eor  example,  obviously  w  t-  diu  is  true  (an  immediate  application  of 
rule  R3:  I-  w  by  assumption  and  therefore  I-  □  w  by  □!);  but  w  D  \3w  is  not  a  theorem. 

Proof: 

The  proof  of  the  temporal  Deduction  Rule  follows  the  same  arguments  used  in  the  proof  of 
the  classical  deduction  theorem  of  Predicate  Calculus.  By  the  given  w\  b  u>2,  there  exists  a  proof 
of  the  form: 


I-  «i 

I-  u  2 


b  um 

such  that  u\  —  W\  is  the  hypothesis  on  which  the  proof  relies,  and  um  =  w2  is  the  consequence  of 
the  proof.  We  replace  each  line  b  u,  in  the  proof  of  v>\  I-  xo2  by  the  line  h  □(/)]  D  ti,,  and  show 
that  this  transformation  preserves  soundness.  That  is 


given 

I-  U\ 

h  u2 


show 

b  (□  w\ )  D  U[ 
h  (Dwi)  D  U2 


h  (□  u/()  3  u. 


H  um  I-  (Dtot)  3  um 

I.C.,  1-  V)2  i.e.P  (□  W\)  3  11)2 

where  each  is  either  the  assumption  w\t  an  axiom,  or  derived  from  previous  u3's  by  some  rule 
of  inference. 

The  proof  is  by  a  complete  induction  on  i.  We  assume  that  for  all  k  <  i,  h  (□wi)  3  u k, 
and  prove  that  K  (D^i)  3  ti,-. 

Case:  Ui  is  an  axiom. 


1.  1-  Ui 

2.  I-  (□«>[)  3  Ui 


by  Pit 


Note  that  I-  w’  implies  I-  w  3  w1  for  any  w,  by  propositional  reasoning. 


Case:  Ujisu/|. 


1.  P  (tUiei)  3  wi 


by  A3 


Case:  a,  is  obtained  by  rule  Rl,  i.c.,  u,  is  an  instance  of  a  tautology. 

1.  I-  U{ 

2.  P  (du/i)  3  Ui 


by  PT 
by  PR 


Case:  a,  is  obtained  by  rule  R2  (using  previous  P  a*  and  I-  a*  3  a*). 

1.  I-  (Dtoi)  3  a* 

2.  P(Cliwi)  3  (a*  3  Ui) 

3.  P  (Dtai)  3  Ui 


induction  hypothesis 
induction  hypothesis 
by  t,  2  and  PR 


Case:  Ui  is  obtained  by  rule  R3  (using  previous  I-  a*),  i.c.,  it,  is  du*. 

1.  P  (da>c)  3  a* 

2.  P  (DOwi)  3 

3.  P  (du>t)  3  □  Dtai 

i.  P  (da>()  3  da* 


induction  hypothesis 
by  nn 
by  T3  and  PR 
by  2,  3  and  PR 


Case-,  (i,  is  obtained  by  rule  lid  {using  previous  h  u  3  v,  \.c.  Uk,  to  got  I -  u  D  Vz.u,  i.o.  where 
x  is  not  free  in  u). 

By  our  deduction  rule  assumption,  we  know  that  x  is  also  not  free  in  tt>i. 


1.  I-  (Dwi)  3  (u  3  v) 

2.  I-  ((□  wi)  A  u)  3  v 

3.  h  ((□«»,)  A  u)  3  Vz.u 

d.  I-  ( □  i )  3  (u  3  Vi.n) 


induction  hypothesis 
by  Bit 
by  ltd 

(since  x  is  not  free  in  u  or  Wi) 
by  PR 


A  different  approach  to  coping  with  the  application  of  the  □  insertion  rule  (rule  113)  is  to 
forbid  it  altogether.  We  then  get  the  following  restricted  deduction  rule: 


Restricted  Deduction  Rule  -  RDEI) 

Wi  h  U>2 
I-  Wy  3 

where  □!  (ride  R3)  is  never  applied  and  VI  (rule  ltd)  is  never 
applied  to  a  free  variable  of  u>\  in  the  derivation  of  w>|  h 


Here,  we  are  not  allowed  to  use  rule  DI  or  any  theorem  or  derived  rule  in  whose  proof  □!  was 
used. 

The  proof  of  ItDHI)  follows  exactly  that  of  DEI)  except  that  the  case  in  which  rule  R3  is 
applied  does  not  arise. 


QUANTIFIER  THEOREMS: 


TdO.  1-  (~Vz.w)  =  (3z.  ~  w) 


Proof: 


1.  h  (~  ~  w)  =  w 

2.  h  (Vx.  ~  ~w)  ~  Vx.w 

3.  h  (~3z.  ~  w)  =  Vz.w 
d.  I- ~Vx.w  ~  Jx.  ~  w 


by  PT 
by  W 
by  All  and  Pit 
by  PR  . 


T41.  h  Vx.(wi  A  w2)  =  ( Vx.wi  A  Vz.w 2) 

Proof: 


1.  H  Vx.w  1  3  w\ 

2.  I-  Vx.u>2  3  t«2 

3.  I-  (Vx.u>i  A  'ix.w2)  3  (xt»i  A  ^2) 

4.  I-  (Vx.wi  A  Vx.w2)  D  Vx.(toi  A  1^2) 

5.  h  (tti  A  w2)  3  twt 

6.  h  Vx.(u>i  A  102)  3  Vx.twj 

7.  H  (i»t  A  102)  3  w2 

8.  h  Vx.(io(  A  102)  3  'ix.Wi 

9.  P  Vx.(w(  A  102)  3  ( Vx.tui  A  Vx.w2) 

10.  h  Vx.(i«i  A  ri>a)  =  (Vx.u;i  A  Vx.u/2) 


T42.  I-  3x.(wi  V  102)  =  (3x.«;i  V  3x.u>2) 


Proof: 


1.  h  Vx.(~W|  A  ~u»2)  =  (Vx.  ~  u>t  A  Vx.  ~  w2) 

2.  h  Vx.  ~  (wi  V  102)  =  (Vx.  ~  Wi  A  Vx.  ~  u/2) 

3.  h  ~3x.(t«i  V  102)  ~  (~3x.iui  A  ~3x.i02) 

4.  h  3x.(wi  V  w2)  =  (3x.iwi  V  3x.w2) 


T43.  I-  Vx.(t«i  V  if >2)  =  (wi  V  Vx.ufa]  whore  x  is  not  free  in  wi. 


Proof: 


1.  I-  Vx.(u>|  V  w2)  3  [vi\  V  1^2] 

2.  1-  [Vx.(u>i  V  w 2)  A  ~iU|]  3  ix/2 


by  A12 
by  A 12 
by  I,  2  and  PR 


by  PT 
by  W 
by  PT 
by  W 
by  6,  8  and  PR 


by  4,  9  and  PR 


by  T41 
by  FOR 
by  A 1 1  and  PR 
by  PR  . 


by  A 12 
by  PR 


3.  h  [Vz.(w[  V  W2)  A  3  \/x.W‘2 

by  VI, 

since  x  is  not  free  in  Vx.(u>  1  V  w 2)  A  ~iU| 

] 

4.  h  V  W2)  3  (u»i  V  Vx.ti^j 

by  PR 

•  » 

5.  I-U|  3  [«j[  V  103] 

by  I'T 

6.  )-  V1.W2  3  W2 

by  A 12 

-  H 

7.  I-  Vx.^2  3  [wi  V  1^2] 

by  PR 

» 

8.  I-  [10  (  V  Vx.102]  3  (®i  V  102] 

by  5,  7  and  Bit 

• 

9.  h  [ivi  V  Vx.-u^]  3  Vx.(-Wi  V  102) 

LO.  I-  Vx.(wi  V  w-i)  =  [wj  V  Vx.102] 

by  VI, 

since  x  is  not  free  in  w\  V  V1.W2 

by  4,  9  and  Pit 

1 

T14.  I-  3x.(wi  A  102)  =  [w>i  A  3x.t«2]  where  x  is 

not  free  in  fUi 

'« 

» 

Proof:  By  duality  on  the  previous  theorem. 

The  following  two  theorems  show  that  the  O  operator  also  commutes  with  the  quantifiers. 

% 

» 

T45.  h(Vx.Ow)  =  (OVx.w) 

-• 

Proof: 

« 

1.  h(Vx.O  w)  3  ( OVx.w ) 

by  A 13 

2.  1-  Vx.w  3  w 

by  AI2 

3.  1-  (OVx.w)  3  O  w 

by  OO 

• 

It 

4.  h  (OVx.u;)  3  (Vx.Of/;) 

by  VI 

- 

5.  h  (Vx.  Ow)  =  (O  Vx.iv) 

by  1,4  and  Bit  j 

- 

T46.  1- (3x.  0  w)  =  (OBx.tz;) 

: 

Proof: 

it 

1.  h  (Vx.  0 ~u;)  =  (OVx.~u;) 

by  T45 
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2.  P  (Vz.  ~Oru)  =  (0~3z.ru) 

3.  j-  (~3z.  O  ru)  =  (~  O  3 z.ru) 

4.  I- (3z.  Oru)  =  (0  3z.tu) 


by  A 1,  All  and  ICR 
by  A4,  A 1 1  and  l’R 


by  I’Rj 


The  following  two  theorems  show  that  each  temporal  operator  commutes  with  the  quantifier 
that  has  similar  character  (universal,  or  existential). 


T 17.  P  (Vz.Oru)  =  (nVz.ru) 

Proof: 


1. 

2. 

3. 

4. 


5. 


6. 

7. 


8. 


9. 


P  □  ru  3  [ru  A  O  □  ru] 

P(Vz.  Hru)  3  Vz.(ru  A  Odra) 

P(Vz.  dru)  3  ((Vz.ru)  A  (Vz.  Odta)) 
P(Vz.  □«/)  3  [(Vz.ru)  A  (OVz.  □«/)] 
p(Vz.  nru)  3  (DVz.ru)  by  DCI,  la 

P  (Vz.ru)  3  ru 
I-  (nVz.ru)  3  □  tu 
I- (□Vz.ru)  3  (Vz.Dru) 

H(Vz.  Dru)  ~  (DVz.ru) 


by  T20  and  RR 
by  W 
by  T1 1  and  PR 
by  T \ 5  and  l’R 
ing  u  to  be  Vz.  □•«;  and  v  to  be  Vz.ru 

by  A 12 
by  □□ 
by  VI 

by  5,  8  and  PR 


T48.  P  (3z.  O  ru)  =  (O  3z.ru) 

Proof: 

1.  P  (Vz.  n~ru)  ^  (nVz.-tu) 

2.  P  (Vz.  ~Oru)  =  (n~3z.ru) 

3.  P  (~3z.  Oru)  ==  (~  O  3z.ru) 

4.  P(3z.  Oru)  =  (0  3z.ru) 


by  T47 

by  Al,  All  and  ICR  (twice) 
by  A 1,  All  and  PR 
by  PR 


Theorem  T47  implies  the  commutativity  of  V  with  □:  Roth  have  a  universal  character,  with 
one  quantifying  over  individuals  and  the  other  quantifying  over  state's.  Similarly,  theorem  T18 


2 


implies  the  commutativity  of  3  with  O.  The  first  two  theorems  (T15 
tativity  of  V  and  3  with  O. 

and  T46)  imply  the  commu- 

The  next  two  theorems  arc  consistent  with  the  interpretation  that  the  U  operator  is  universal 
with  respect  to  its  first  argument  and  existential  with  respect  to  the  second. 

T19.  h  Vz.(tO[ Uwa)  =  (Vx.tui)Ut02  where  x  is  not  free  in  102 

Proof: 

1. 

h  wiUre'i  3  [w2  V  (tot  A  O(t0tUt02))] 

by  A9  and  I’ll 

2. 

I-  Vx.(toiUt02)  3  Vx.[t02  V  (t»i  A  O(t0,Ut02))J 

by  W 

3. 

h  Vx.(u;i U?i?2)  3  [tea  V  Vx.(u>i  A  O(t0iUtO2))] 

by  VI  and  I’ll, 
since  x  is  not  free  in  w2 

4. 

h  Vx.(tO[  U702)  3  (102  V  (Vx.toj  A  Vx.  O(toi  Ut02))] 

by  Til  and  PR 

5. 

h  Vx.(toiUto2)  3  [u>2  V  (Vx.wi  A  O  Vx.(?otUt02))] 

by  T15  and  PR 

6. 

h  Vx.(w|Uto2 )  3  Ow2 

by  A12,  A10  and  PR 

7. 

h  Vx.(w,  Uu^)  3  (Vx.wi)Uw2 

taking  to  to  be  Vx.[wiUw2),  u 

by  5,  B  and  RUi, 
to  be  Vx.t«| ,  and  v  to  be  \u2 

8. 

h  (Vx.wi)  3  w i 

by  A 12 

9. 

\-  (Vx.W|)Uttf2  3  V)\  Uw2 

by  UU 

10. 

h  (Vx.t0i)Ut02  3  Vx.(t0|Ut02) 

by  Vf, 

since  x  is  not  free  in  w2 

11. 

1-  Vx.(t0iUt02)  =  (Vx.Wi)Ut02 

by  7,  10  and  PR 

T50.  h  3x.(t«iUw2)  =  tot  U(3x.t/i2)  where  x  is  not  free  in  u>i 

Proof: 

l.  h  Wi  Uw2  3  0  W2 

by  A 10 

2. 

h3x.(u»iUu;2)  3  (3x.  Ow2) 

by  33 

3. 

H  3x.(t0i  Ut02)  3  (O3x.t02) 

by  T18  and  PR 

4. 

h  toiling  3  [^2  V  (to |  A  O(to i Utinj))] 

by  A9  and  I’ll 

5. 

1-  3x.(?0|Ut02)  3  ((:jx.W*)  V  3x.(tO|  A  0(W|U«>2))] 

by  T12,  13  and  PR 

6. 

h  3x.(wiUw2)  3  [(3x.ic2)  V  (toj  A  3x.  0(u>i Uie2))l 

by  'I'll  and  PR, 
since  x  is  not  free  in  w\ 

7. 

1- 3x.(wiUw2)  3  {(3x.w2)  V  [taj  A  O  3x.(ioiUto2)]} 

by  T16  and  PR 

8. 

1-  3x.(wiUw2)  3  ta1U(3i.ta2) 

by  3,  7,  RUI  and  PR 

9. 

h  [u/2  V  (twi  A  0(wiUr«2))]  3  t0|Uu/2 

by  A 9  and  PR 

10. 

1-  3x.[u>2  V  (toi  A  0(w[Uw2))]  3  3x.(iwtUiy2) 

by  33 

11. 

1-  [(3x.u>2)  V  3x.(io1  A  0(iytUiw2))]  3  3x.(u/iUu/2) 

by  T-12  and  PR 

12. 

1-  [(3x.ie2)  V  (tei  A  3x.  0(wiUu>2))]  3  3x.(u>1 

by  T'M  and  PR, 
since  x  is  not  free  in  w\ 

13. 

h  [(3x.W2)  V  (ru\  A  O  3x.(wi  Uu>2))]  3  3x.(ioiUw>2) 

by  TI6  and  PR 

H. 

h  roiU(3x.te2)  3  3x.(wi  Uw2) 

taking  u  to  be  w \ ,  v  to  be  3x.w2 

by  LUI, 

and  w  to  be  3x.(70|  U  u>2) 

15. 

h  3x.(u;t  11^2)  =  wlU(3x.W2) 

by  8,  H  and  PR  . 

aJ 

While  operators  of  similar  character,  i.e.,  both  universal  or  both  existential,  commute  to  yield 
equivalent  formulas,  operators  of  opposite  character  usually  admit  implication  in  one  direction 
only.  Thus  we  have: 

T51.  h  3x.  □«;  3  D3x.w 

T52.  h  OVx.tu  3  Vx.  Ow  ^ 

T53(a).  h  3z.(wiUwji)  3  (3x.?//|)Uw2  where  x  is  not  free  in  i/>2 
(b).  h  ?ai U(Vx.W2)  3  Vx.(-uj|  Utwa)  where  x  is  not  free  in 

I 

Theorems  of  similar  character  are: 

T5d(a).  h  3x.(itUv)  3  (3x.u)ll(3z.v) 

(b).  I-  (Vx.«) U(Vx.v)  3  Vx.(mUw)  ^ 

THE  NEXT  OPERATOR  APPLIED  TO  TERMS: 

I 


The  use  of  the  next  operator  O  applied  to  terms  is  governed  by  the  axioms: 


AH.  h  O /(*,,  ...,g  =  /(Oi|,  ...,Otn) 
for  any  function  /  and  terms  < i ,  .  . .  ,tn 

A15.  (-  Op(<i, - tn )  =  p(Oti,  ...,Otn) 

for  any  predicate  p  and  terms  t\t  . . .  ,tn 


These  axioms  are  consistent  with  the  evaluation  rules  that  we  gave  which  stated  that  in 
order  to  evaluate  an  expression  0£(<i,  we  can  evaluate  £(Oii,  ...,Otn)  whether  £  is  a 

function  or  a  predicate. 


5.  EQUALITY 


I  Cquality  is  handled  by  the  following  axioms: 


AXIOMS: 


A 1 6.  Rejlexivity  of  Equality 

H  t  =  t  for  any  term  t 

A 17.  Substitutivily  of  Equality 

h  (t,  =t2)  3  =  te(<„/2)| 

where  t-j  is  any  term  globally  free  for  t\  in  w 

and  where  w  does  not  contain  temporal  operators 

A 18.  t-  0(1,  =  <2)  =  (0<i  =  Ot2) 


We  use  w(<i,<2)  to  indicate  that  t2  replaces  some  of  the  occurrences  of  t\  in  w. 

The  axiom  A18  is  a  special  case  of  A15  when  the  predicate  p  is  the  equality  predicate. 

Recall  that  a  term  t2  is  said  to  be  globally  free  for  t\  in  w  if  substitution  of  t2  for  all  free 
occurrences  of  in  w:  (a)  docs  not  create  new  bound  occurrences  of  (global)  variables,  (i.e.,  t2  is 
free  for  1 1  in  w),  and  (b)  does  not  create  new  occurrences  of  local  variables  in  the  scope  of  a  modal 
operator. 

Note  (  hat  the  classical  axiom  for  substitutivity  of  equality  A 17 
I"  (<i  =  h)  ^  w(ti,t2) | 

(where*  l2  is  free  for  t\  in  u?)  is  not  correct  if  w  contains  temporal  operators.  We  could  take  w(ti ,  t.2) 
to  be  □(<!  =  t2)  and  deduce  from  A 17 


h  (t,  =  t2)  D  (□(£,  =  t,)  =  0(1,  =  f2)|, 


h  (£  1  =  £2)  3  n(*l  —  <2)) 


which  is  not  a  valid  statement  (since  t\  =  <2  may  contain  local  variables). 

T55.  Commutativity  of  Equality 

P  (£1  =  <2)  ^  (<2  =  ii) 

Proof: 

1.  (£1  —  £2)  3  [(£1  =  £[)  =  (£2  =  £|)1  by  A17 

2.  I-  £(  =  £1  by  A 16 

3.  I-  (£1  =  £2)  3  (£2  =  £1)  by  1,  2  and  I*Ii  j 


T56.  Transitivity  of  Equality 

I-  [(£t  =  £2)  A  (£2  —  £3)]  3  (ti  =  £3) 

Proof: 

1.  P  (£1  =  £2)  3  l(£i  =  £3)  =  (£2  =  £3))  by  AI7 

2.  P  [(£i  =  £2)  A  (£2  =  £3)]  3  (£1  ==  £3)  by  PR  j 

T57.  Term  Equality 

(a)  P  D(£|  =  £2)  3  (r(£i,  £|)  —  r(£i,  £2)|  for  any  term  r 

(b)  P  (£1  =  £3)  3  (t(£,,£|)  =  t(£i,£2)) 

provided  r  does  not  contain  the  next  operator. 

Proof  of  (a): 

By  induction  on  the  structure  of  r. 

Case:  t(£i , £1 )  =  £1  and  r(£i,£2)  =  £|.  Then 

1.  P  £,  =  £  1  by  AIG 

2.  P  □(£,  -£2)  3  [t(£,,£|)  =  r(£,,£2)] 

by  I’ll  and  definition  of  r(£|,£|)  and  t(£|,£2) 


Case :  T(t\,ti)  =  ti  and  r(ti,t2)  =  t2.  Then 


1.  h  □(<!  =  £2)  3  (f  1  =  t2)  by  A3 

!  2.  h  □(<,  =  t2)  D  [r(*lf*1)  =  r(f,,t2)| 

by  the  definition  of  r(<  1 , <  1 )  and  r(<i,<2) 

j  Case:  r(ti,ti)  =  /(r1(ti,  tt),  . . .  ,Tfc(t|,<i))  and  r(ti,h)  =  /(ri(ti,t2),  •  •  •  ,Tfc(£i,t2)).  Then 

1.  I-  □(<!  =  <2)  3  (rt(i|,<,)  =  r1(<i,f2)],  for  i  =  1,  . . .  ,fc 

by  ill 0  induction  assumption. 

k 

2.  h  /\[r<(tl,«,)  =  Ti(*il«a)l  D 

!  «=i 

[/(T|(<|,<l),  •  •  •  ,Tfc(il,<i))  =  /(r((<,,<2),  .  .  .  ,Tk{t\,t2))] 
by  repeated  application  of  A 17  and  using  T5(>  for  transitivity  of  equality. 

A  typical  step  in  this  repeated  application  is: 

1 

I-  h(<l,<l)  =  Tx(t\,h))  3 

[/(Tl  (^t  1  ^2))  •••)  A  1  I  >  ^2  )>  Ti(t\,  t\),  T^tx ,  t\)^  — 

S  (j  1  I  j  )»  •••)  A  l(^l  1^2)1  A(^I;^2)>  A+l(^li^l)j  Tk(t  I  1  ^-1  ))] 

^  justified  by  A17  and  the  fact  that  Ti(t\,t2)  is  free  for  r,(<i,<|)  in  /(...)  since  /  docs  not  contain  any 

temporal  operators. 

3.  h  □(<!  =  h)  D  (r(l1)<1)  =  r(l,(l2)] 

,  by  1,  2,  PR  and  the  definition  of  T(t\,tx)  and  T[t\,t2). 

I 

Case:  r(t  1 ,  <1)  =  O  r'(<i,  1 1)  and  r{t\ ,  t2)  =  O  T'(t\,  t2).  Then 

1.  I-  □(<!  =  <2)  3  [T'{t\,ti)  =  r'[t\,t2)\  by  the  induction  hypothesis 

2.  I-  OD(«,  =  t2)  d  0(r'(i,,<,)  =  r'(t,f  t2)\  by  O  O 

3.  h  0[t'(<.,  <1)  =  r'(t\,  t2)\  D  [Ot'(<i,<i)  =  O  T#(t| ,  <a)l  by  A 18  and  PR 

4.  H  □(<!  =  t2)  D  0  0(t,  =  t2 )  by  A7 

5.  h  n(i|  =  t2)  (OT'(t[ttx)  =  Ot'(*,,<2))  by  4,  2,  3  and  PR 

6.  H  □(<!  =  t2)  D  [r(t|,f|)  =  r(li,t2))  by  the  definition  of  r(<i ,  <1),  r(tt ,  l2). 


Proof  of  (b): 

1.  \-{t{=t2)  3  [(r(<i)  —  7(^2))  =  (t(<2)  =  t(I2))] 


by  A 17  (no  O  in  r) 


3.  H*1  =  *2)  D  (r(M  =  T(*a)) 


by  1,  2  and  l'R 


The  following  theorem  generalizes  A 17  to  arbitrary  formulas. 


T58.  Substitutivity  of  Equality 

h  □(<!  =  <2)  ^  [w(ti,ti)  =  w(£i,<2)]  where  £2  is  free  for  t\  in  w. 


Proof: 

Ry  induction  on  the  structure  of  w. 

Case :  w  contains  no  temporal  operators.  Then 

1.  h  (£1  =  £2)  3  (w(£i,£i)  =  w>(£i,  £2)] 

2.  h  □(£,  =  £2)  3  (£,  =  £2) 

3.  h  D(£i  =  £2)  3  [w{£lf£i)  =  w{ti ,  £2)] 


by  A17 
by  A3 
by  MP 


Case:  w[tlt  £2)  is  of  the  form  rj (£  1 ,  £2)  —  t2(£» ,  £2).  Then 


by  T57 


1.  !-□(£,  =£2)  3  [r,(£Il£,)  =  rt(£,,£2)]  by  T57 

2.  I-  □(£,  =  £2)  3  M£1,£1)*r2(£1,£2)|  by  T57 

3.  h  (ti(£i,£i)  =  Ti(£1(£2)]  3  [(r,(£i,  £|)  =  t2(£i, £,))  =  (t,(£,,  £2)  =  T2(£lf  £, ))] 

by  A17  or  the  p->rm  (0,  =  02)  3  [(0,  =  t2(£i,£i))  =  (02  =  t2(£i,£i))] 

with  0[  =  T| (£ t , £|)  and  02  =  Ti(ti,t2) 

\-  D(£i  =  £2)  3  {(t|(£|, £1)  =  r2(£i, £,))  =  (ti(£|,£2)  =  t2(£i,£i))] 

by  1,3  and  PR 

5.  h  D(£i  =  £2)  3  [(ti(£i  ,  £2)  =  t2(£j  ,  £| ))  =  M£, ,  £2)  =  t2(£|  ,  £2))) 

similarly  by  A 17,  using  2 

6.  I-  □(£(  =  £2)  3  [(ri(£|,£|)  =  r2(£, , £,))  =  (t, (£, , £2)  =  r2(£t , £2))] 

by  \}  5  and  PR 

7.  h  D(£i  =  £2)  3  [w(£|,£|)  3  w(£i ,  £2)]  by  the  definition  of  w[t\ ,  £2) 


7.  h  □(£I  =  £2)  3  (w(£lf£i)  3  w(£i,£2)] 


Case:  w  is  of  the  form  □«.  Then 

1.  h  □(£,  =  £2)  3  [«(£,,£,)  =  «(£i,£2)] 

2.  I-  □(£,  =  £2) 


induction  hypothesis 
assumption 


by  Ml* 
by  □□ 


3.  u(ti,ti)  :e  u(tut2) 

I-  □  «(<!, *l)  =  □u(<i,<2) 

Thus,  □(<!=  <2)  h  [□«(<!,![)  =  □  «(<!, t2)] 

5.  I-  □  a(<i  =  f2)  3  [□«(<!,/!)  =  Qu(i I,h)\  by  DEI) 

6.  h  D(ti  =  t2)  3  [□u(fi,<i)  =  □u((i,<2)]  by  T3  and  PR 


The  cases  in  which  w  is  of  the  form  Ou,  O  u,  Vz.u  and  3x.u  arc  treated  similarly,  using  the 
O  O-rule,  the  O  O-rulc,  the  W-rulc  and  the  dB-rule,  respectively. 


Case:  w  is  of  the  form  ullv. 

1.  I-  □  (<!  =  t2)  3  (u(<l,*l)  =  *i(*t,*2>l 

2.  h  □(<!  =  t2)  3  [«(*,,*,)  =  !>(*,,  t2)] 

3.  (-  D{ti  =  t2) 

I-  u[t i,<i)  =  u(tl,t2) 


induction  hypothesis 
induction  hypothesis 
assumption 
by  1,3  and  Ml* 


5.  H  v(<i,li)  =  v(t\,t2)  by  2,  3  and  MP 

6.  I-  (u(fi,^i)Uv(<i,<i))  =  (u{ti,t2)\Xv(ti,t2))  by  1,  5  and  ER 

Thus,  □(<!  =  t2)  h  ((u(<i,<i)Uv(<i,<i))  =  («(t|,<2)Uv(fi,t2))] 

7.  (-□□(«,  =f2)  3  [(«(*,, it)Uv(ti,<1»  =  («(<,, t2)Ui»(«,,«2))]  byDED 

8.  h  □(<!  =  t2)  3  l(u(<i,ii)Uv(<|,<l))  =  [u(tl,t2)\Xv(tl,t2j)\ 

by  T3  and  PR 


6.  FRAME  AXIOMS  AND  RULES 

In  this  section  we  consider  the  consequences  of  the  partition  of  the  set  of  all  variables  into 
local  and  global  variables.  By  the  semantic  definition,  global  variables  arc  given  their  value  by  the 
global  assignment  a,  and  these  values  do  not  vary  from  state  to  state.  Consequently,  for  a  global 
variable  u  it  must  be  universally  true  that  ti  —  Ou,  i.c.,  the  value  of  u  at  any  state  is  identical 
to  its  value  in  the  next  state  (see  APJ  below).  rfhe  following  axioms  are  called  frame  axioms  in 
reference  to  the  “frame  axiom”  in  Iloarc’s  deductive  system  for  program  verification  ([II. I.|). 

Recall  that  we  split  the  set  of  our  symbols  into  two  subsets:  global  and  local  symbols.  The 
logical  consequence  of  this  convention  is  the  following  frame  axiom: 

A 19.  Frame  Axiom 

I-  x  =  O  x  for  every  global  variable  x 


19 


Wc  can  therefore  prove  by  induction  on  the  structure  of  the  term  t  and  the  formula  w  the 
following  frame  theorems : 

T59.  For  a  term  t  and  formula  w 

(a)  I-  t  =  O  t 

where  t  is  global,  i.c.,  docs  not  contain  local  symbols 

(b)  F  w  =  □  w 

where  w  is  global,  i.e.,  docs  not  contain  local  symbols. 

(c)  I-  u>(Oyi,  ...,Oyn)  =  Ow(yu  . .  .  ,yn) 
where  1/1 ,  . . .  ,yn  are  all  the  local  variables  in  w. 

We  present  several  frame  theorems  that  facilitate  moving  global  formulas  in  and  out  of  the 
scope  of  temporal  operators. 


T60.  F  □(«>!  V  W2)  =  («>!  V  □  W2) 

where  is  global,  i.e.,  contains  no  local  symbols. 

Proof: 


1. 

F  3  □ 

by  T59b 

2. 

F  [ D(wi  V  1V2 )  A  □  ~W/J  3  V  W2)  A  — roj ) 

by  T7  and  PR 

3. 

F  [(wi  V  w2)  A  ~?«i]  3  w 2 

by  PT 

4. 

F  [D(ioi  V  W2)  A  □~'u;i]  3  □  W2 

by  2,  3,  □  D  and  PR 

5. 

F  [□(»!  V  W2)  A  ~wi]  3  Dton 

by  1,  4  and  PR 

6. 

F  0(«A  V  W2 )  3  (a/|  V  O1V2) 

by  PR 

7. 

Fi«i  3  Dtyi 

by  T59b 

8. 

F  (wi  V  &W2)  3  (Dzoi  V  Dwij) 

by  PR 

9. 

F  (Dtoi  V  OW2)  3  □(»!  V  W2) 

by  T9 

10. 

F  (i«i  V  OW2)  3  □(wi  V  W2) 

by  8,  9  and  PR 

11. 

F  D(u;i  V  W2 )  =  (v>i  V  □  W2) 

by  6,  10  and  PR  j 

T61.  F  0(wi  A  W2)  =  (wi  A  O102)  where  w  1  is  global. 
Proof:  The  proof  follows  from  T60  by  duality. 
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A  derived  frame  rule  that  we  will  be  using  is 


Frame  Rule  —  I*'R 

I-  u  D  O  v 

h  (w  A  u)  D  0(tr  A  v) 
where  w  is  global 


given 
by  PR 
by  T61  and  PR 
by  2,  3  and  PR  _ 


Proof: 

1.  h  u  D  O  v 

2.  h  (w  A  u)  D  (w  A  O  v) 

3.  h(m  A  Oti)  3  <C>(ie  A  v) 

4.  h  (mi  A  a)  D  0(w  A  v ) 


C.  DOMAIN  PART 


The  next  part  of  the  system  contains  domain  axioms  that  specify  the  necessary  properties 
of  the  domain  of  interest.  Thus,  to  reason  about  programs  manipulating  natural  numbers,  we 
need  the  set  of  Pcano  Axioms,  and  to  reason  about  trees  we  need  a  set  of  axioms  giving  the  basic 
properties  of  trees  and  the  basic  operations  defined  on  them. 


7.  INDUCTION  AXIOMS  AND  RULES 


An  essential  axiom  schema  for  many  domains  is  the  induction  axiom  schema.  This  (and 
all  other  schemas)  should  be  formulated  to  admit  temporal  instances  as  subformulas.  Thus  the 
induction  principle  for  natural  numbers  can  be  stated  as  follows: 

A20.  Induction  Axiom 

h  {lt( 0)  A  Vn(/?(n)  3  R{n  +  I)]}  3  ll{k) 
for  any  statement  /?. 

One  instance  of  this  axiom,  which  will  be  used  later,  is  obtained  by  taking  II(n)  to  be  □(Q(n)  3 

O  ip): 

Tf>2.  Induction  Theorem: 

h  {D(Q(0)  3  Oi/>)  A  V»[d(G(n)  3  Otf)  3  □  (<?(«  +  1)  3  O ■0))} 

3  □(£(*)  3  OV0- 

Using  this  induction  theorem  we  can  derive  the  following  useful  induction  rule: 

O  Induction  Rule  —  OIND 
I-  Q(0)  3  0  V- 

t-  Q[n+  1)  3  [Oi/<  V  OQ(n)] 
h  Q(k)  3  O  ij) 


OINI)  is  useful  for  proving  convergence  of  a  loop:  show  that  Q(0)  guarantees  O  </>  and  that  for 
each  n,  either  Q(n  +  l)  implies  Q(n)  across  the  loop  or  it  already  establishes  O  V’  and  no  further 
execution  is  necessary.  Then  for  any  k,  Q(k)  ensures  that  Oxp  is  established. 


Proof: 


1.  h  Q{ 0)  3  Oi> 

2.  I-  □(c>(0)  3  Oi>) 


given 
by  □! 


3. 

h  Q(n  +  l)  3  {Orp  V  OQ(n)) 

given 

4. 

h  □(<?(«)  3  Otf)  3  (O  Q(n)  D  C  ip) 

by  TO,  T4  and  1’R 

5. 

h[Q(n+l)  A  □(('i)(n)  3  O  ip)\  3  O  ip 

by  3,  4  and  Pit 

6. 

h  □(Q(n)  3  O  ip)  3  (Q(n  +1)  3  O  i>) 

by  I’ll 

7. 

1- □□(<?(«)  O  O  ip)  3  □(Q(n+1)  3  O  ip) 

by  □□ 

8. 

\-  n(Q(n)  3  Oip)  3  +  1)  3  0  ip) 

by  T3  and  Pit 

9. 

h  Vn [□(<?(«)  D  O  ip)  3  n(Q(n  +  1)  3  0  ip)\ 

by  VI 

10. 

1-  □  (<?(*)  3  oy>) 

by  2,  9  and  T62 

11. 

h  Q(k)  3  Oip 

by  A3  and  Ml*  _ 

While  induction  over  the  natural  numbers  is  usually  sufficient  in  order  to  prove  properties 
of  sequential  programs,  we  need  induction  over  more  general  orderings  in  order  to  reason  about 
concurrent  programs  ([LI’S]).  Thus  we  have  to  formulate  a  more  general  induction  principle  over 
arbitrary  well-founded  orderings. 

Let  (A,  -<)  be  a  partially  ordered  set.  We  call  the  ordering  -<  a  well-founded  ordering  iT  there 
exists  no  infinitely  decreasing  sequence  of  elements  in  A: 

Oq  >-  «2  >•  «3  >  •  •  • 

For  each  well-founded  ordering  (A,  -<),  the  following  is  a  valid  induction  rule: 

115.  Well-Founded  Induction  Rule  -  WIND 
h  V/3[(/3  -<  «)  3  v>(P)\  3  w(ot) 

h  ui(a) 


This  rule  should  hold  for  an  arbitrary  temporal  formula  w(a)  dependent  on  a  global  variable 
a  £  A,  and  we  adopt  it  as  a  primitive  inference  rule. 

To  justify  the  rule  semantically  we  may  argue  as  follows: 

Assume  that  the  premise  to  the  rule  is  true,  but  the  conclusion  is  not.  Then  there  must  exist 
a  model  H  and  an  oq  such  that  w(oq)  is  false  under  Hy  the  premise  there  must  exist  some  «2 
such  that  «2  -<  and  w(«2)  is  false  under  N\.  Arguing  in  a  similar  way  we  obtain  an  infinitely 
decreasing  sequence: 

oq  >-  «2  >•  «3  >- 

such  that  for  each  i,  w>(at)  Ls  false  under  R.  This  of  course  contradicts  the  well  foundodness  of 

(A,  <). 

Note  that  the  induction  axiom  and  rules  can  be  derived  from  WIND  by  taking  (A,  -<)  to  be 

(N,  <). 
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In  order  to  use  the  WIND  rule,  one  lias  to  establish  that  the  ordering  <  is  indeed  a  well-founded 
ordering.  Several  specilie  orderings  are  known  to  be  well-founded  (such  as  lexicographic  ordering 
over  tuples  of  integers,  multisets,  eLe.),  and  may  be  freely  used.  However  the  general  statement 
that  an  ordering  is  well-founded  is  a  second  order  statement  which  may  require  second  order 
reasoning  for  its  establishment. 

By  substitution  of  a  special  form  of  a  temporal  formula  we  can  obtain  the  following  induction 
principle  for  O  formulas: 

Well-Founded  O  Induction  Rule  OWINI) 

h  w(a )  3  0(0  V  3 /?[(/!  <  ft)Aw(/))|) 

h  w(oc)  3  0  0 

We  show  that  OWINI)  follows  from  WIND. 

Proof: 


1. 

h  w(n)  3  0(0  V  3/t[{/?  <  ft)  A  w(/f)|) 

given 

2. 

I-  w(n )  3  (O  0  V  O  !/?[(/?  <  ft)  A  «;(/?)]) 

by  T8  and  BR 

3. 

F  □(3/3[(0  -<  a)  A  w(d)j  3  0  0)  3 

(O  d/3[(/t  <  ft)  A  w{p)\  3  0  0) 

by  T6,  T4  and  BR 

4. 

P  {itf(ft)  A  C(3/i[(/?  ■<  ft)  A  t»(/J)]  3  O  0)}  3  O  0 

by  2,  3  and  BR 

5. 

h  <  ft)  A  3  0  0)  3  (w(ft)  3  O  0) 

by  BR 

0. 

h  (3/'i[(/3  -<  «)  A  u;(/t)]  3  O  0)  "  (~3 /?[(/?  •<  ft)  A  i <;(/?)] 

>» 

O 

> 

7.  h  (~3 p{(P  <  a)  A  w(/t)]  V  O  ip)  -  (V/?[~(/3  <  a)  V  V  Oi p) 

by  All,  ICR  and  Bit 

8.  h  (V/3[~(/3  -<  o)  V  ~w(/t)]  V  O  ip)  =  <  ft)  3  (w[ft)  3  O  0)] 

by  T-1S,  Bit  and  ICR,  since  O  ip  does  not  depend  on  fi 

9.  h  (3/?((/t  a)  A  w{p)\  3  0  0)  he  \/ft[(p<a)  3  (w{ft)  3  O0)] 

by  6,  7,  8  and  Bit 

10.  1-  □  yp[(P  <  ft)  3  («/(/?)  3  O  ■0))  3  (u>(ft)  3  O  ip)  by  9,  5  and  ICR 

11.  I-  □  yp[(P  <  ft)  3  ( w[(5 )  3  O  ip)}  3  □(«;((*)  3  O  ip)  by  T3,  □□  and  BR 

12.  hV/)D[(^«)  3  (w(fl)  3  0  -0)]  3  □  («;(«)  3  O  ip)  by  T47  and  Bit 

13.  h  VP\[p<n)  3  □(«;(/?)  3  0  0)]  3  D(w(n)  3  O  ip) 

by  TOO,  ICR  and  BR,  since  [ft  <  n)  is  global 

by  WIND,  faking  w(«)  to  be  D(w(a)  3  O  0) 


14.  h  □(u;(a)  3  O  0) 

15.  I-  w(a)  3  O  0 


by  A3  and  BR 


D.  PROGRAM  PART 


Otir  proof  system  must  be  augmented  bv  additional  axioms  that  reflect  the  structure  of  the 
program  under  consideration.  The  additional  axioms  constrain  the  state  sequences  to  he  exactly 
the  set  of  execution  sequences  of  the  program  under  study.  This  relieves  us  from  the  need  to 
include  program  text  explicitly  in  the  system;  all  the  necessary  information  is  captured  by  the 
additional  axioms. 


8.  PROGRAMS  AND  COMPUTATIONS 


In  our  model  a  concurrent  program  consists  of  m  parallel  processes: 
l>  :  y:=  g(x);  [P,  ||  . . .  ||Pm|. 

Mach  process  /',  is  represented  as  a  transition  graph  with  locations  (nodes)  L»'  = 

The  edges  in  the  graph  are  labelled  by  guarded  commands  of  the  form  c(y )  — >  [y  :=  f(y)\  whose 
meaning  is  that  if  c(y)  is  true  the  edge  may  be  traversed  while  replacing  y  by  f(y). 

Let  f,  |  4  £  Li  be  locations  in  process  l\: 


The  variables  y  =  (y\,  ...  ,yn)  arc  shared  by  all  processes.  We  define  /?*( y)  =  ct(iy)  V  .  .  .  V 
<  ii{y)  to  be  the  exit  condition  at  node  L  We  do  not  require  that  the  conditions  c*  be  either  exclusive 
or  exhaustive. 

The  advantage  of  the  transition  graph  representation  is  that  programs  arc  represented  in  a 
uniform  way  and  that  we  have  only  to  deal  with  one  type  of  instruction.  We  show  first,  that 
programs  represented  in  a  linear  text  form  can  easily  be  translated  into  graph  form. 

Assume  that  a  linear  text  program  allows  the  following  types  of  instructions: 

Assignment:  y  :=  f(y) 
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Conditional  Branch:  if  p(y)  then  go  to  l\  else  go  to  1 2 


Halt:  halt 

Waiting  loop:  loop  until  p[y) 

loop  while  p(y) 

and  the  semaphore  instructions 

Request:  requesi(y) 

Release:  release(y) 

A  linear  text  program  for  each  of  the  processes  has  the  following  form: 

^0  :  lo 

tx  :  /, 


It  :  halt  or  go  to  tj 

where  . . .  ,f.t  are  labels  and  ...  are  instructions  from  the  list  above. 

The  graph  representation  of  such  a  program  for  process  l\  will  be  a  labelled  graph  with 
Li  =  {^o,  . .  •  ,M  as  the  set  of  nodes,  h'or  each  instruction  f  at  label  l  G  L.  we  construct  edges  as 
follows: 


►  for  the  instruction 
l:  y  :=  f(y) 
i'  : 


construct 


true  ->  [y  :=  f{y)] 


►  for  the  instruction 

t :  if  p{y)  then  go  to  V  else  go  to  t" 

t  : 

construct 

p(y)  ■ 


►  for  the  instruction 

l :  if  p(y)  then  go  to  l 1 
l"-. 


construct 


►  for  the  instruction 

i  :  if  p(y)  then  y  :=  f(y) 
t'  : 


construct 


►  for  the  instruction 
l :  loop  until  p(y) 

V  : 

construct 


>  for  the  instruction 

t  :  loop  while  p(y) 

C  : 

construct 


►  for  the  instruction 


t :  rcqueat[y) 

t: 


construct 


y  >  0  -»  [y  :=  y  -  1] 


►  for  the  instruction 
t :  release(y) 

V  : 

construct 


true  —  >  [i/  :=  y  +  1] 


For  halt  at  label  t  we  construct  no  edges  out  of  l. 

The  actual  translation  into  graph  form  need  not  be  carried  out  explicitly.  Rather,  the  general 
axiomatic  description  of  transition  diagrams  can  be  easily  translated  to  axioms  for  each  of  the 
types  of  instructions  in  the  linear  text  form. 

A  state  of  the  program  P  is  a  tuple  of  the  form  s  =  (l\fj)  with  I  E  Li  x  ...  x  Lm  and 
rj  &  Dn,  where  D  is  the  domain  over  which  the  program  variables  y\,  . . .  ,yn  range.  The  vector 
l  =  (P,  ...,£”*)  is  the  set  of  current  locations  which  are  next  to  be  executed  in  each  of  the 
processes.  The  vector  rj  is  the  set  of  current  values  assumed  by  the  program  variables  y  at  state  a. 

Let  s  =  (P ,  . . . ,  P,  . .  . ,  rj)  be  a  state.  We  say  that  process  I\  is  enabled  on  s  if  Kt,  (77) 
true.  This  implies  that  if  we  let  I\  run  at  this  point,  there  is  at  leasL  one  condition  cy  among  the 
edges  departing  from  t  that  is  true.  Otherwise,  we  say  that  Pi  is  disabled  on  s.  An  example  of  a 
disabled  process  is  the  case  where  P  labels  an  instruction  requcst(y)  and  y  —  0.  Another  example 
is  that  of  P  labeling  a  halt  statement.  A  state  is  defined  to  be  terminal  if  no  is  enabled  on  it. 

Given  a  program  I’  we  define  the  notion  of  a  computation  step  of  P. 

Let  s  =  (il ,  . . . ,  £m;  rj)  and  s  =  (P ,  . .  . ,  lm)  rj)  be  two  states  of  P.  Let  r  be  a  transition  in 
P,  of  the  form: 

/"T'n  ^ :=  /(»)!  /^7^\ 

QO - T - 

such  that  c{fj)  —  true,  rj  =  f(rj),  and  for  every  j  4-  i,  V  =  V .  Then  we  say  that  3  can  be 
obtained  from  s  by  a  Pi-step  (a  single  computation  step),  and  write 

Pi  . 

8  - »  8. 

An  initialized  admissible  computation  of  a  program  P  for  an  input  x  —  £  is  a  labelled  maximal 
sequence  of  states  of  P: 


whirl;  satisfies  the  following  three  conditions.  (  The  sequence  a  is  considered  maximal  if  it  cannot 
be  extended,  i.c.,  it  is  either  infinite  or  ends  with  a  state  which  is  terminal.) 

A.  Initialization: 

The  first  state  so  has  the  form: 

so  =  {^o;  <7(0) 

where  Jq  —  . . .  ,7™)  is  the  vector  of  initial  locations.  The  values  y(()  are  the  initial 

values  assigned  to  the  y  variables  for  the  input 


State  to  State  Sequencing: 


ICvery  step  in  the  computation  s 


•s,  is  justified  by  a  P^-stcp. 


C.  Fairness: 

ICvery  l\  which  is  enabled  on  infinitely  many  states  in  it  must  be  activated  infinitely  many 
times  in  a,  i.e.,  there  must  be  an  infinite  number  of  /\-s tops  in  a. 

We  define  an  admissible  computation  of  P  for  input  £  to  be  cither  an  initialized  admissible 
computation  or  a  suffix  of  an  initialized  admissible  computation. 

Thus  the  class  of  admissible  computations  is  closed  under  the  operation  of  taking  the  suffix. 
This  is  needed  in  order  to  ensure  soundness  of  the  inference  rule  H!  We  denote  the  class  of 

all  ^-admissible  computations  of  a  program  P  by  A(P,  £). 

An  admissible  computation  is  said  to  be  convergent  if  it  is  finite: 


If  the  terminal  state  s/  in  a  convergent  computation  is  of  the  form  8/  =  (t\, 
where  each  t\  labels  a  halt  instruction,  we  say  that  the  computation  has  terminated.  Otherwise, 
we  say  that  the  computation  has  blocked  or  is  deadlocked. 

In  order  to  describe  properties  of  states  we  introduce  a  vector  of  location  variables 
7f  —  (tti,  ...  ,7rm).  Hach  irt  ranges  over  Li,  and  assumes  the  location  value  t*  in  a  state 

s=(f\ 

Thus  we  may  describe  a  state  s  =  { 2;fj )  by  saying  that  in  this  state  n  =  l  and  y  =  rj. 

A  state  formula  Q  =  Q(n;y)  is  any  formula  which  contains  no  temporal  operators,  ft  is  built 
up  of  terms  and  predicates  over  the  location  and  program  variables  {H ;y)  and  may  also  refer  to 
global  variables. 

We  frequently  abbreviate  the  statement  7r,  =  i  to  att.  Since  the  L«’s  are  disjoint,  there  is  no 
difficulty  in  identifying  the  particular  nt  which  assumes  the  value  i. 
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Let  us  consider  a  program  P  over  a  domain  D  with  fixed  interpretation  /  for  all  the  predicate, 
function  and  individual  constant  symbols.  A  model  M  is  said  to  be  admissible  for  P  if  it  has  the 
form: 


M  =  (I,a,d) 

where  a  and  a  satisfy  the  following  condition: 

There  exists  an  «(x]-admissiblc  computation  a  6  A(P,  r*[x])  such  that 
either 

.  ft.  ft, 

a  is  infinite:  a  =  so - >si - >s 2 - >33  ... 

and 

a  =  so,  *1,  82,  ... 


or 


ft.  ft,  ft/ 

a  is  finite:  a  =  s q - >  Si  - - >  82 - >  . . .  - >  8/ 

and  then 

a  =  s0,  s, ,  s2,  . . . ,  Sf,  S',  - 

Thus  we  force  a  to  be  always  infinite  by  indefinitely  repeating  the  last  state  of  a  iT  it  is  finite.  This 
corresponds  to  our  intuition  that  while  the  computation  may  have  terminated,  time  still  marches 
on,  but  no  furl  her  change  in  the  program  will  ever  occur. 

Let  us  denote  the  class  of  all  admissible  models  for  a  program  P  by  C(P).  Note  that  this 
class,  dilfercntly  from  A(P,  £),  contains  computations  corresponding  to  different  inputs. 

We  define  the  state  formula  stating  that  a  process  is  enabled  as  follows: 

Enabled([\;W;y)  =  /\  ((tt,  =  t)  d  Et[y)}. 
te  Li 

For  the  complete  program  P  we  defined 

m 

fCnabled(f,;n-,y)  =  \J  Enablcd(Pi;W,,y). 

»  =  l 


Thus  a  state  s  =  {f;  rj)  is  terminal  iff 
Enablcd{P\l;fj)  =  false 


and  we  may  define 

Terminal^)  //)  =  ~Enablcd(P\Ti\y). 


Let  the  following  be  a  transition  t  in  process  P,: 

s  n  4y)  +  (y  :=  /(y)l 


Wo  define  the  transformation  associated  with  the  transition  r  by: 

M*  ;y)  =  {*[£'/*&  fiv))- 

The  transformation  is  obtained  by  replacing  the  current  value  t  of  7r»  by  l'  and  the  values  oft/  by 

f(y)- 

Let  <p(n;  y)  and  iflfH]  y)  be  two  state  formulas.  Wc  say: 

•  The  transition  t  leads  from  p  to  if  if  the  following  implication  is  valid: 

M*;y)  a  at l  a  c(y)]  o  y))- 

•  The  process  Pi  leads  from  tp  to  if  if  every  transition  r  in  l\  leads  from  <p  to  if. 

•  The  program  P  leads  from  <p  to  if  if  every  P,  leads  from  p  to  if. 

We  are  ready  now  to  give  a  temporal  axioinatization  for  the  notion  of  computation  under  the 
program  P. 


9.  AXIOMS  AND  RULES  FOR  CONCURRENT  PROGRAMS 


The  first  axiom  states  that  the  location  variable  7r»  may  only  assume  values  in  L». 


A21.  Location  Axiom  -  LOC 


(-  trj  G  Li  for  i  =  l,  . . .  ,m. 


This  is  an  abbreviation  for: 

h  (tt,  =  4)  V  (tt*  =  i\)  V  . . .  V  (t r,  =  f\). 

Since  all  the  locations  arc  disjoint,  it  also  follows  from  the  equality  axioms  that  ir,  may  be  equal 
to  at  most  one  tj  at  a  time. 

For  each  of  the  three  requirements  defining  an  admissible  computation  we  have  a  corresponding 
inference  rule  scheme: 


R6.  Initialization  —  INIT 

For  an  arbitrary  temporal  formula  w : 

h  [o<f0  A  y  =  £/(x)]  D  di 


For  let  us  assume  that  the  premise  to  this  rule  holds.  This  implies  that  □  w  is  true  for  all 
initialized  computations.  By  the  semantic  definition  of  □,  this  implies  that  w  is  true  for  every 
sulfix  of  an  initialized  computation,  i.c.,  for  every  admissible  computation.  Thus,  w  is  C(P)- valid, 
and  by  generalization  (□!)  so  is  Ow. 


R7.  Transition  TUNS 

Let  p(W;  y)  and  ip(n;  y)  be  two  state  formulas. 

I-  P  leads  from  p  to  ip 
h  \p{F ;y)  A  Terminal[W;y)\  D  ip(W-,y) 

h  ip  D  O  ip 

Indeed  let  s  be  a  state  in  the  sequence  b  corresponding  to  an  admissible  computation  a,  and 
let  s'  be  its  successor  in  b.  Assume  that  p(s)  is  true.  There  are  two  cases  to  be  considered.  In 

the  first  case,  s'  is  derived  from  s  by  a  P,-step  for  some  i  =  1 . to.  But  then,  by  the  first 

premise,  t\  leads  from  p  to  ip  and  therefore  ip  must  be  true  for  s'.  In  the  other  case,  s  is  terminal 
and  s'  =  s  the  repetition  of  the  terminal  state  of  a  finite  computation.  But  then  s  is  terminal 
and  satisfies  the  antecedent  of  the  second  premise,  leading  to  ip[s)  =  ij>{i s')  =  true.  Hence,  in  both 
cases  7/>(s')  must  hold  and  the  conclusion  of  the  rule  follows. 

Note  that  the  first  premise  to  this  rule  requires  establishing  many  conditions  involving  the 
individual  transitions  or  each  of  the  processes.  However,  by  examining  the  definitions  of  “leading 
from  1 p  to  ip”  we  sec  that  they  are  all  expressible  as  classical  statements  involving  no  temporal 
operators.  Therefore  this  premise  should  be  provable  from  the  domain  axioms  plus  the  usual 
predicate  calculus  proof  system.  The  second  premise  is  also  classical,  and  ensures  the  consequence 
after  the  sequence  has  reached  a  terminal  state. 

118.  Fairness  --  FAIR 

Let  p[W;y)  and  rp{ri',y)  be  two  state  formulas  and  Pk  be 
one  of  the  processes. 

A.  h  f  leads  from  p  to  p  V  ip 

B.  h  Pk  leads  from  p  to  ip 

[p  A  DO  Bnablcd[Pk)]  D  p\lip 

To  give  a  semantic  justification  of  this  rule,  consider  a  computation  such  that  p  is  true  initially. 
By  A,  p  will  hold  until  ip  is  realized,  if  ever.  By  B,  once  l\  will  be  activated  in  a  state  satisfying 
p  if  will  achieve  ip  in  one  step.  Consider  now  a  sequence  o  such  that  p  A  □  O  l'hinblcd{Pk)  is 
true  on  er.  This  means  that  p  is  initially  true  and  P ^  is  enabled  infinitely  many  times  in  <7.  By 
fairness,  P ^  will  eventually  be  activated,  which,  if  ip  has  not  been  realized  before,  will  achieve  ip 
in  one  step. 

Since  (^UV7)  3  <^?/’,  wc  often  use  the  FAIR  rule  in  order  to  derive  the  consequence 

\p  A  □  O  Enablc.d{Pk)\  D  Oip. 

There  are  several  derived  rules  that  can  be  obtained  from  the  above  axiomatization. 
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Invariance  Rule  1NV 


P  I*  lends  from  p  Lo  p 

I -  p  D  □  p 


Proof: 


I.  I -  P  leads  from  p  to  p 

2  I-  [<p  A  Terminal j  3  <p 
3.  I-  <p  3  O  tp 

A.  P  p  3  Op 


by  PT 
by  TRNS 
by  Cl  , 


Initialized  Invariance  Rule  -■  1INV 
Let  p  be  a  state  formula 

P  \atf0  A  y  =  3  tp 

P  P  leads  from  tp  to  tp 

I-  Up 


Proof: 


1.  P  \aU0  A  y  —  </(z)]  3  p 

2.  P  P  leads  from  p  to  p 

3.  h  p  D  Op 

4.  I-  [atf0  A  y  =  <7(1)]  D  Op 

5.  P  Op 


by  2  and  INV 
by  1,3  and  PR 
by  INIT 


The  IINY  rule  is  the  rule  most  often  used  in  order  to  establish  invariance  properties  of  programs. 


Unless  Establishment  Rule  —  HER 

Let  p  be  a  state  formula 

P  P  leads  from  p  to  p  V  rp 


P  p  3  (p  H  ip) 


P  / *  leads  from  p  to  p  V  rp 


by  IT 
by  I'll 
by  1,3  and  TUNS 


2.  h  p  D  (p  V  ip) 

3.  h  [p  A  Terminal j  3  (p  V  tp) 

4.  t -  p  D  O (p  V  tp) 

5.  h  p  D  (p  ii  ip)  by  ill  . 


The  following  rule  is  a  consequence  of  the  FAIR  rule. 


Proof: 


1. 

h  P  leads  from  tp  to  tp  V  tp 

given 

2. 

h  Pk  leads  from  <p  to  ip 

given 

3. 

1 -  p  3  O  (ip  V  l'Jnablcd[Pk)) 

given 

4. 

h  [p  A  □  O  Knablcd(Pk)]  3  < p\Xip 

by  I,  2  and  FAIR 

5. 

h  p  3  (Op  V  pUtp) 

by  1  and  CINV 

6. 

1-  \p  A  □~V»]  3  O  Enabled(Pk) 

by  3,  T8,  Al  and  IMt 

7. 

h  0(p  A  O^tp)  3  □  O  ICnablcd(Pk) 

by  □□ 

8. 

h  [Op  0~ip\  3  □  0  Enabled(Pk) 

by  T3,  T7  and  PR 

9. 

h  [Op  A  ~ □  O  Enablcd(Pk)\  3  <0  tp 

by  Al  and  PR 

10. 

h  Op  3  C >tp 

by  4,  9,  A3,  A 10  and  PR 

It. 

h  Op  3  plXtp 

by  10,  T24  and  PR 

12. 

1-  p  3  pUtp 

by  5,  1 1  and  PR  j 

In  contrast,  with  earlier  rules,  premise  C  of  KVNT  is  not  purely  classical  since  it  contains  the 
temporal  operator  O.  Since  C  has  a  form  similar  t,o  the  conclusion  of  the  KVNT  rule,  it  is  to  be 
expected  that  its  derivation  will  require  once  more  the  application  of  the  KVNT  rule.  This  seems 
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to  imply  circular  reasoning.  However,  note  that  at  each  nested  application  of  the  10VNT  rule, 
another  l\  is  taken  out  of  consideration.  This  is  because  in  trying  to  establish  O  linabled[l\)  we 
need  not  consider  any  /Vstcps  at  all,  since  when  they  are  possible,  I\  is  already  enabled. 

A  useful  special  case  of  C  that  frequently  suffices  for  the  application  of  the  EVNT  rule  is: 

C'  :  I -  ip  D  [ip  V  Enabled(l\)\. 

Note  that  the  EVNT  rule  can  also  be  used  to  establish  properties  of  the  form 
<p  D  Ol/>, 
since  tpIXij)  3  Oip. 

The  EVNT  rule  is  the  one  most  often  used  in  order  to  establish  both  eventuality  (liveness) 
properties  and  precedence  properties. 


E.  EXAMPLES 


In  this  section  we  present  several  examples  of  proofs  of  properties  of  programs  using  the  proof 
system  described  above. 


10.  EXAMPLE  Is  DISTRIBUTED  GCD 


Let  us  consider  the  following  example  of  a  program  computing  the  greatest  common  divisor 
of  two  positive  integers  in  a  distributed  manner. 


(yi,  2/2) 

:=  (-ci,  ^2) 

^0 

1/2/1  >  2/2 

then  Ui  :=  2/1  -  2/2 

m0 

:  1/  2/1 

<  2/2 

then  1/2  :=  2/2  ~  2/i 

if  2/1  +  2/2 

then  go  to  Iq 

m  1 

:  *7  2/1 

71 2/2 

2/ien  r/o  to  trio 

t-2 

halt 

m  2 

:  /ia/< 

-Pi- 

-  P2 

- 

We  wish  to  prove  total  correctness  for  this  program,  i.c., 

Theorem: 

h  [a<(4,m0)  A  (2/1, 2/2)  =  {t\,x2)\  D  0(a*(f2,m2)  A  1/1  —  gcd(xux2)\ 

We  will  split  the  proof  into  two  parts,  proving  separately  invariance  and  termination. 

Lemma  A: 

h  0[gcd(yt,y2)  =  gcd(xux2)\ 


Proof  of  Lemma  A: 


Let  us  denote  gcd(yi,Tj2)  =  gcd[x\,x2)  by  <p(x\ ,  x2, 2/1 , 2/a)- 

It  is  easy  to  check  that  every  transition  in  /'  leads  from  < p  to  (p.  Also 

b  [(// 1 » 2/a )  =  1  2/1 » 2/2)* 


Thus  we  have  Ihc  two  premises  to  the  IINV  rule,  which  yields  the  desired  result.  ^ 

Lemma  B: 

I-  [a</’oii  A  atm0A  A  (r/i , 2/2)  >  0  A  (y{  +  y2)  <  n  +  l)  A  /  y2 } 

D  O[a^0,i  A  atmO'i  A  (2/1 , 2/2)  >  0  A  (yi  +  y2  <  n)] 

Here  we  use  att 0>  1  as  an  abbreviation  for  af/’o  V  att\,  atm oti  for  atmo  V  atm\  and 

(j/ 1,1/2)  >  0  for  (2/1  >  0)A(t/2  >  0). 

Proof  of  Lemma  B: 

bet  us  define 

‘P{V\,y2,n)  :  at(  0,1  A  atrn0il  A  (2/1, 2/2)  >  0  A  (y,  +  y2  <  n). 

Thus  we  fiavc  to  prove: 

b  [<p{yi,y2,n+  l)  A  (2/1  t  1J2)]  =>  0<p{yuy2,n). 

We  will  split  the  proof  into  two  cases: 

HI.  I-  [<p{yi,V2,n  +  \  )  A  (yi  >  y2))  3  0<p(y\,y2,n) 

H2.  h  \r{y\,V2,n  +  I)  A  (r/,  <  y2)]  3  <0  <p(yi ,  y2,  n) 

The  lemma  obviously  follows  from  these  two  statements. 

To  prove  HI  we  first  observe  that  by  HR: 

1-  b  £>(l/i,l/2,n  +  1)  =3  (alto  V  atli) 

Consider  therefore  first  the  case  that  f\  is  at  £o-  We  take 

f'  •  <p{y l,n,n+  I)  A  (1/1  >  y2)  A  ate0 

■  tp(y\,y2,n). 

We  claim  that  <p'  and  if/  satisfy  the  premises  of  I0VNT  with  I\  —  Pi- 

To  see  this,  consider  requirement  A  of  ICVNT  that  states  that  every  transition  in  P  leads  from 
<p'  to  <p'  V  ip1 . 

Consider  transitions  in  P2.  The  only  relevant  ones  are  mo  — *  rr»i  and  transitions  leading  out 
of  rr»|.  The  transition  mo  »  m \  under  2/1  >  y 2  leaves  ip'  invariant.  Again,  under  y\  >  y2  the 
only  transition  out  of  rn  1  goes  to  m(,  h  aving  <p'  invariant. 


The  only  transition  enabled  in  P\  is  to  fi  which  replaces  (2/1 » 2/2)  by  (2/1  —  2/2 , 2/2 )-  If 
2/1  +  2/2  <  n  +  1  and  2/1  >  0, y2  >  0  then  certainly  (tq  -  y2)  +  2/2  <  ft  and  (yl  -  y2)  >  0, 7/2  >  0. 
Thus  £q  — +  leads  from  <p'  to  ip'.  This  also  establishes  requirement  B  with  P*  =  P[. 

Since  Etu  =  true,  condition  C  is  trivially  fulfilled.  Consequently  wc  conclude  by  the  EVNT 
rule  that  P  <p'  3  O  ip1,  i.e., 

2-  P  [<p[vi,V2,n  +  1)  A  (2/ 1  >  2/2)  A  a<4)  3  O ^(2/1, 2/2,  ft). 


Consider  next  the  case  where  Pi  is  at  By  taking 

P"  •  <p(yi,y2,n+  1)  A  (y  1  >  y2 )  A  atl  1 

=  <p'  :  ¥>(2/1, 2/2, n+  1)  A  (2/1  >  2/2)  A  attQ. 

Wc  can  show  that  the  premises  of  the  EVNT  rule  are  satisfied  with  respect  to  <p" ,  ip" .  Consequently 
we  have  (-  < p"  3  O  ip",  i.e., 

3.  P  [<p{y\,y2,n  +  1)  A  (2/1  >  2/2)  A  a*£i]  3 

O [^(2/1, 2/2, ft  +  1)  A  (2/1  >  2/2)  A  aif0] 

4.  P  [^(2/1, 2/2,  n  4-  1)  A  (2/1  >  2/2)  A  a2fi]  3  O  <p(yl}  y2,  n)  by  2,  3  and  OC 

5-  P  [iP(yi,S/2,«+  1)  A  (2/1  >  2/2)1  3  O  <p{yt,  y2,  n)  by  1,  2,  4  and  PR 


This  establishes  Bl. 


By  a  symmetric  argument  wc  can  establish  B2.  By  propositional  reasoning  Bl  and  B2  lead  to 
Lemma  B.  - 


Proof  of  theorem: 


We  will  now  proceed  with  the  proof  of  the  main  theorem. 

6.  P  M2/i>y2.n+l)  A  (2/1  ^  2/2)]  3  O ¥>(2/1, 2/2, ») 

7.  P  <p(vi,V2,n  +  1)  3  [(2/1  =  2/2)  V  O  <p(y\,y2,n)\ 

8-  P  <p{yi,y2,n+  1)  3  [0(2/1  =2/2)  V  O y?(i/i ,2/2, «)) 
9.  P  ~(p(2/i, 2/2,0) 


Lemma  B 
by  PR 
by  Tl  and  PR 


by  PR, 

using  the  domain  property  that  the  conjunction 
(2/1  >  0)  A  (2/2  >  0)  A  (?/ 1  4-  2/2  <  0)  is  impossible 


10.  P  <p(2/t, 2/2,0)  3  0(2/i  =2/2) 

ie  p  v^(yi , 2/2, ft)  ^  0(1/1  =  y2) 

12.  P  3ft.y?(y  1,2/2,  ft)  3  0(yi  =2/2) 

13.  P  [al(/,0,ftio)  A  (2/1, 2/2)  =  (mi, *2)  >  0]  3  ln..<p(j/i,2/2,ft) 


by  PR 

by  8,  10  and  OIND 


by  taking  n  =  x t  +  x2  >  0. 

By  considering  the  different  locations  of  I\  and  P2  under  the  assumption  that  y  1  =  y2  it  is 
easy  (though  long  if  carried  out  in  full  detail)  to  establish 

14.  I"  (3/1  =  2/2)  =>  0\at(t2>m2)  A  (2/1  =  2/2)]- 
By  combining  12,  13  and  14  using  OC  we  obtain: 

15.  I-  [a2(4),rn0)  A  (yt ,  y2)  =  (xt,  x2)  >  0)  D  0[at(t2,m2)  A  {y\  —  y2) ). 

Together  with  lemma  A  and  T10  this  gives 

16.  I-  [at(^0,  m0)  A  {y\,yz)  =  {x\,x2)  >  0]  D  0[af(L2,m2)  A  2/1  =  <jc.d[x\,  x2)] 

since  (yt  =  y2)  D  t/(  =  gcd[yl,y2) 

Note  that  theorem  T10  enables  us  to  infer  from  a  previously  established  invariant  h  (Hy?  and 
an  implication  h  wi  D  Ovi2  the  implication  hti)|D  O(to2  A  ip).  _ 


11.  EXAMPLE  2:  SEMAPHORES 

For  our  next  example  we  will  present  a  very  simple  program  with  semaphores: 


y  ■—  1 

to  ■  request(y)  mo  :  rcqucst[y] 

1 1  :  release(y)  m j  :  rctease(y) 

t2  :  go  to  to  ra2  •  90  to  mo 

-Pi-  -Pi- 

This  example  models  a  solution  to  the  mutual  exclusion  problem  using  semaphores. 

There  arc  two  properties  that  we  wish  to  prove  for  this  program.  The  first  is  that  of  mutual 
exclusion,  namely: 


Lemma  A: 


I-  H[{~att\)  V  (~aim1)j 


Proof: 

'lake 


<p{n \,*2\y)  ■  1  -t-  atm \  +  y  =  1)  A  (y  >  0). 

6!) 


In  expressions  such  as  the  above  we  interpret  propositions  as  having  the  numerical  value  1  when 
true  and  0  otherwise. 

We  can  easily  show  that  p  is  preserved  under  every  transition.  For  example,  consider  the 
transition  Cq  —+  Ci.  When  it  is  enabled,  we.  have  y  >  0,  and  the  transition  assigns  to  the  variable 
y  the  value  y—  I  which  is  nonnegative.  Considering  the  value  of  the  sum 

at  ti  +  atm  i  4-  y, 

at Ci  changes  from  0  to  I  on  this  transition  but  y  is  decremented  by  1.  Consequently  the  value  of 
the  sum  remains  invariant. 

Initially,  att\  +  atmi  +  y  =  0  +  0  +  l  =  l  and  y  =  1  >  0. 

Hence  <p  satisfies  the  two  premises  of  the  IINV  rule,  from  which  we  conclude 

Ii  :  I-  D[atti  +  at  mi  +  y  =  1)  A  [y  >  0)]. 


This  implies 

h  n[af^i  +  atm |  <  lj 
which  is  equivalent  to  Lemma  A.  j 

The  second  property  is  that  of  accessibility.  It  states  that  each  process  will  eventually  be 
admitted  to  its  critical  section.  This  is  established  by: 

Lemma  B: 

h  at  f.Q  D  O  at Ci 


and 


I-  at  mo  O  O  at  mi 


Proof: 

Let  us  define 

<p i  :  alio  A  atm i  A  y  =  0 
t/q  :  y  >  o 

We  show  that  <pi  and  ip i  satisfy  the  conditions  of  the  ISVNT  rule  with  k  —  2. 

In  fact  the  only  enabled  transition  is  mj  — ►  m2  which  does  lead  from  £>(  to  tpi.  While  at  mi, 
P 2  is  always  enabled.  Thus  we  conclude: 

1.  h  \atCo  A  atmi  A  y  =  0]  D  0(y  >  0)  by  ICVNT  with  k  =  2 
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2.  I-  [af£0  A  a* mi]  D  0(y  >  0) 

3.  h  [att0  A  a<m2,3 J  3  (y  >  0) 

4.  H  atl0  D  0{y  >  0) 


by  1 1  above,  1  and  PR 
also  by  Ij  and  PR 
by  Tl,  2,  3,  LOG  and  PR 


Take  now 

ip2  :  at  to 
ij) 2  :  att{ 

We  check  premises  A  to  C  in  the  RVNT  rule  with  respect  to  the  pair  {ip2,ip2}  taking  k  =  1. 
Clearly  P  always  leads  from  <p2  to  <p2  V  ij>2.  The  process  P|  always  leads  (when  enabled)  from  ip2 
to  02.  Condition  C  is  guaranteed  by  4  above.  We  therefore  conclude 

5.  I-  at£0  O  O  att{. 

By  a  completely  symmetric  argument  we  can  show  that: 
h  atm 0  ID  O  atm\ .  _ 


12.  EXAMPLE  3:  MUTUAL  EXCLUSION 


As  a  third  example  we  consider  a  program  that  solves  the  mutual  exclusion  problem  without 
semaphores: 


(l/i, :=  (false,  false,  1) 


to  :  Noncritical  Section 
t\  :  2/1  :=  true 
t2  :  t  :=  l 

1 3  :  if  y2  =  false  then  go  to  I5 
t\  if  t  =  1  then  go  to  £3 
£3  :  Critical  Section 
£&■■  lhj=  false 
£7  :  go  to  to 

-  P 1  - 


mo  :  Noncritical  Section 
wi  :  2/2  frue 
m2  :  t  :=  2 

m3  :  if  y\  =  false  then  go  to  m3 
m4  :  if  t  —  2  then  go  to  m3 
m3  :  Critical  Section 
y2  :=  false 
W7  :  go  fo  mo 


For  convenience  we  will  abbreviate  formulas  alt j  to 
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The  principle  of  operation  of  this  program  is  that  each  process  l\  has  a  variable  yt,  i  =  1,2, 
which  expresses  the  process’s  wish  to  enter  its  critical  section.  The  variable  y,  is  set  to  true  at  £\ 
and  to i  and  reset  to  false  at  and  m «,  respectively.  In  addition,  each  process  leaves  a  signature 
in  the  common  variable  t.  The  process  1\  sets  it  to  1  at  £ 2  and  P2  sets  it  to  2  at  rn2.  A  process 
Pi  may  enter  its  critical  section  only  if  either  tjj  =  false  (meaning  that  the  other  process  is  not 
interested)  or  if  t  —  j,  for  j  ±  i.  The  latter  case  corresponds  to  both  processes  being  interested 
in  entering  the  critical  section  but  Pj  being  the  last  to  pass  through  the  signing  instructions  at 

To  formally  prove  that  this  program  is  correct  we  first  prove  several  invariance  properties. 

Lemma  A: 

b  yi  =  (-2.. 6 

Here  £2..6  stands  for  at£2..6-  Thus  the  lemma  states  that 

yi  =  true  if  and  only  if  ir  1  £  {£2,  4.  U,  h>  A>}- 

Proof: 

To  prove  the  Lemma  we  take 
<P\  ■  (2/1  =  ^..s) 

and  show  that  it  is  invariant  under  every  transition,  i.c.,  every  transition  leads  from  ip\  to  <px. 

The  only  transitions  that  can  alfcct  the  truth  of  <p  1  are  £\  — ►  i2  and  — ►  l7. 

In  £ !  — >  £2  both  yx  and  at£2.. 6  become  simultaneously  true.  Similarly  in  £$  — *  t7  both  y\  and 
at £2.. i ■,  become  simultaneously  false.  Thus 

1.  h  (y,  =  *2..e)  3  0(y,  ee  f2..6)  by  TUNS 

2.  h  {at(f0,m0)  A  [(yuy2,t) {false,  false,  [)}}  D  (y,  =  f2..6) 

3.  b  D(yi  =  £2. .a)  by  l,  2  and  1 1 N  V  j 

Lemma  B: 

b  y2  EE  m2,.6 

The  lemma  is  proved  by  a  symmetric  argument. 


Lemma  C: 

I-  [t  =  1)  V  (t  =  2) 


This  lemma  slates  that  the  only  possible  values  of  the  variable  t  are  1  or  2. 


Proof: 

Let  i p2  stand  for  £5.6  O  ((~2/2)  V  {t  —  2)  V  m2]. 

It  is  dearly  true  initially  since  h  4  D  ~^5,c-  To  show  that  every  transition  leads  from  to 
ipv,  consider  the  only  transitions  that  may  falsify  <pz,  i.e.,  that  may  possibly  lead  from  <p2  to  ~y>2. 
Potentially  they  are: 

•  ^3  £5-  This  transition  is  possible  only  under  2  which  makes 

hl/2)  V  (t  =  2)  V  m2 
true. 

•  — ►  £5.  This  is  possible  only  when  t  1  which  by  Lemma  C  makes 

(~j/2)  V  (<  =  2)  V  m2 
again  true. 

The  other  transitions  we  should  consider  are  transitions  oT  while  P\  is  already  at  £5^.  The 
only  ones  to  be  considered  are  those  which  all'cct  any  of  the  variables  in  ~j/2  V  (<  =  2)  V  m2. 

•  mi  — ‘  m2.  Causes  m2  to  become  true. 

•  m2  — »  m3.  Causes  t  to  be  set  to  2. 

•  mg  — >  m7.  Sets  </2  to  false,  making  ~j/2  true. 


The  lemma  follows  by  the  1INV  principle. 


J 


Lemma  E: 

H  "1.5,6  3  l(~yi)  V  (t  =  I)  V  £2] 

The  lemma  is  proved  by  a  completely  symmetric  argument. 
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Theorem: 


•"  (~4,6)  V  (~m5i6) 


This  theorem  proves  the  mutual  exclusion  of  the  processes. 

Proof: 

1.  h  (4,6  a  7715i6)  D  [((~y2)  V  [t  =  2)  V  m2)  A  ((~?/i)  V  {t  =  1)  V  4)] 

by  lemmas  C,  D  and  PR 


2. 

3. 

4. 


h  (4,6  A  m5i6)  D  [yt  A  i/2  A  ~4  A  ~m2]  by  lemmas  A,  B,  LOC  and  PR 
1“  (4,6  A  m5| 6)  D  [(£  =  1)  A  (t  =  2)]  by  1,  2  and  PR 


I - (4,6  A  m5|6) 

1"  (~4,6)  V  (~m5i6) 


by  the  equality  axioms  and  PR, 
using  the  domain  fact  that  1^2 

by  PR  . 


Next  we  will  prove  accessibility.  We  will  only  prove: 


Theorem: 


h  attx  D  O  at 4 


The  result  for  P2  is  completely  symmetric. 


Proof: 

The  proof  will  proceed  by  a  sequence  of  statements  most  of  which  arc  proved  by  the  1CVNT  rule 
in  the  version  whose  conclusion  is  <p  Z)  Oip.  Simple  passages  justified  by  propositional  temporal 
reasoning  will  not  be  fully  presented  and  their  omission  is  denoted  by  mentioning  PTR  in  the 
justification  clause. 


1.  h  (4  A  7713,4  A  t  =  2)  O  0  4  by  HVNT  with  k  —  I, 

using  lemma  A 

2.  I-  (4  A  7713,4  A  t  —  2)  D  0(4  A  7773,4  A  t  =  2)  by  RVNT  with  k  =  2, 

using  lemmas  A,  B 

3.  I-  (4  A  7773,4  A  t  ~  2)  3  0  4 

4.  I-  (4,4  A  7773,4  A  t  =  2)  D  04 

5.  1-  (4,4  A  7772)  D  0(4  V  (4,4  A  7773,4  A  t  =  2)1 


by  2,  1  and  OC 
by  1,3  and  PR 
by  KVNT  with  k  =  2 


6. 

7. 

8. 

9. 

10. 
11. 
12. 

13. 

14. 

15. 

16. 

17. 

18. 

19. 

20. 
21. 
22. 


I-  (4,4  A  m2)  3  04  by  4,  5  :uul  PTR 

I"  (4,4  A  3  0(4  V  (4,4  A  7712})  by  EVNT  with  k  =  2 


P  (4,4  A  771 1)  3  0  4 
(-  (4  A  77l0)  3  0(4  V  (4,4  A  771!)] 

P  (4  A  ttiq)  3  0  4 
I-  (4  A  7ti0)  3  0[4  v  (4,4 
1-  (4  A  mo)  3  0  4 

1-  (4,4  A  77l0)  3  O  £5 

P  (4,4  A  771 7 )  3  0(4  V  (4,4  A  77lo)] 
P  (4,4  A  7717)  3  0  4 

P  (4,4  a  m6)  3  0(4,4  a  7717) 

P  (4,4  A  77l6)  3  O  4 

h  (4,4  A  7775)  3  0(4,4  A  77lg) 

1"  (4,4  A  77l5)  3  0^5 

1-  (4,4  A 

P  (4,4  A 

P  (4,4  A 


by  7,  6  and  PTR 
by  EVNT  with  k  =  1 
by  9,  8  and  PTR 
by  EVNT  with  k  =  l 
by  11,  8,  10  and  PTll 
by  10,  12  and  PR 
by  EVNT  with  k  =  2 
by  14,  13  and  PTll 
by  EVNT  with  k  =  2  and  lemma  E 
by  16,  15  and  PTll 
by  EVNT  with  k  =  2  and  lemma  E 
by  18,  17  and  PTll 
by  EVNT  with  k  =  2  and  lemma  A 
by  20,  19  and  PTll 


A  77li)  V  (4  A  77l0)] 


7714  A  t  =  1)  3  0(4,4  A  77l5) 

7714  A  t  —  1)  3  04 

m3  A  t  =  1)  3  0(4,4  A  7714  A  t  =  1) 


by  EVNT  with  k  =  2  and  lemma  A 

23. 

P  (^3,4 

A  m3  A  t  =  1)  3  0  4 

by  22,  21  and  PTR 

24. 

P  (4,4 

A  7713,4  A  t  =  1)  3  0  4 

by  21,  23  and  PR 

25. 

P  (4,4 

A  7773,4)  3  04 

by  4,  24,  lemma  C  and  PR 

We  may  summarize 

now  as  follows: 

26. 

P  4,4  3  (4,4  A  ( rn0  V  777 1 

V  7772  V  7773  V  7774  V  7775  V  me  V  7777)] 

by  IA)C 

27. 

P  4,4  3  04 

by  26,  13,  8,  6,  25,  19,  17,  15  and  PTR 

28. 

P  4  3  O  4,4 

by  EVNT  with  k  =  1 

29. 

0 

n 

C'J 

-L 

by  27,  28  and  OC 

30. 

1-4  3  0  4 

by  EVNT  with  k  —  1 

31. 

P  4  3  04 

by  29,  30  and  OC  j 
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F. 


COMPACT  PROOF  PRINCIPLES 


In  the  preceding  sections  we  introduced  a  comprehensive  proof  system  for  proving  arbitrary 
temporal  properties  of  concurrent  programs.  However,  as  demonstrated  in  the  last  examples  a 
fully  formal  proof  tends  to  be  rather  lengthy  and  sometimes  tedious  to  follow.  Consequently  we 
will  next  discuss  shorter  and  more  compact  representations  of  proofs  and  corresponding  compact 
proof  principles.  All  these  principles  can  be  derived  in  the  basic  proof  system  presented  above. 
Consequently,  a  proof  according  to  these  principles  can  always  be  mechanically  expanded  into  a 
more  detailed  proof  using  just  the  basic  axioms.  We  will  discuss  the  three  main  classes  of  properties 
one  may  wish  to  prove  about  programs,  namely:  invariance,  liveness  and  precedence  properties. 


13.  THE  INVARIANCE  PRINCIPLE 


The  IINV  principle  docs  not  significantly  simplify  formal  proofs.  Most  of  the  needed  work 
in  applying  the  IINV'  principle  is  in  establishing  the  premise  that  the  program  P  leads  from  p  to 
p.  Several  heuristics  or  meta-rules  can  be  suggested  in  order  to  reduce  the  number  of  transitions 
that  have  to  be  checked,  which  in  the  worst  case  is  proportional  to  the  size  of  the  program.  Kor 
example: 

a)  Only  transitions  that  modify  variables  on  which  p  depends  should  be  checked. 

b)  Assume  that  p  has  the  form  p  =  p\  V  <p%  (similarly  for  implication),  and  that 
some  variables  y i,.  .  ,ym  appear  only  in  pt.  Then,  in  checking  transitions  that 
only  modify  these  variables,  it  is  sufficient  to  check  transitions  that  may  falsify 
P\  and  one  may  assume  in  checking  them  that  p%  —  false. 

c)  Assume  that  an  invariance  x  has  already  been  established  before.  Let 

[P  A  xj  3  hate) 

for  some  location  i.  Then  no  transitions  of  the  form  l  — >  t'  need  ever  be 
considered  in  showing  that  P  leads  from  p  to  ip. 

A  simple  generalization  of  the  IINV  rule  is  given  by: 

Generalized  Invariance  Rule  GINV 
A.  h  <p  D  ip 

H.  H  [a<?o  A  y  =  y(x))  D  p 
C.  h  P  leads  from  p  to  p 

i-  nip 


Certainly  premises  II  and  C  establish  I -  [2p  according  to  IINV,  from  which  by  premise  A  and  the 
□  □  rule,  1-0-0  follows. 
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The  advantage  of  the  GINV  principle  is  that  no  additional  temporal  reasoning  is  required  and 
the  rule  can  be  proved  complete  by  itself.  My  this  we  mean  that,  given  a  program  P,  any  state 
property  V’  which  is  invariant  for  all  executions  of  P  can  be  proven  invariant  by  a  single  application 
of  the  GINV  rule  and  no  additional  temporal  reasoning. 


Theorem: 

The  GINV  rule  is  complete  for  proving  invariance  properties. 

Proof: 

Let  ip  =  ip(x‘,n-,y)  be  a  state  property,  possibly  dependent  on  the  input  variables  x.  We  define 
a  state  s  =  (l;  Yj)  to  be  ^-accessible  in  P  if  there  exists  a  segment  of  some  computation  initialized 
with  x  =  £  that  reaches  s,  i.c., 

(4);ff(?))  •••  -♦  (bv)- 

Define  the  predicate  ip  =  (p{x\^\y)  by: 

Pit'it'iV)  —  true  &  (f;  r?)  is  ^-accessible. 

Thus,  ip  characterizes  all  the  states  that  are  x- accessible.  We  will  show  that  the  predicate  <p 
so  defined  satisfies,  together  with  ip,  all  the  premises  required  by  the  rule  GINV. 

Gonsidcr  premise  A.  Since  ip  is  invariantly  true  in  all  computations  of  P  it  must  be  true  for 
every  accessible  state  (l;rj).  Consequently 

<p{Jd;v)  ^  V’dif;*?); 

when  generalized  to  arbitrary  £,  1  and  rj  this  implies 
<p  D  ip. 

Since  we  assume  that  the  underlying  domain  theory  is  adequate  for  proving  all  classically  sound 
formulas  this  implies 

L  ip  D  ip- 

Consider  now  premise  M.  Since  every  initial  state  is  by  definition  accessible  we  certainly  have 
•=  tp{xdo',g[x)). 

Again  by  completeness  of  our  domain  part  with  respect  to  classical  formulas,  this  leads  to 
h  [atl0  A  y  =  g{x) ]  D  <p(x;W\y). 

Finally,  consider  premise  C.  Clearly  every  transition  in  P  leads  from  an  x-accessible  slate  to 
another  x-accessible  state.  Consequently 

£  P  leads  from  \ p  to  <p. 


-  » 


t 


a 


1 

■j 
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From  this  premise  C  follows  by  completeness  of  the  domain  part. 


J 


In  the  preceding  theorem  we  have  only  shown  the  existence  of  an  appropriate  state  predicate 
ip.  We  have  not  discussed  the  question  of  the  exact  formal  language  in  which  such  a  predicate 
can  be  expressed.  However,  assuming  that  our  domain  contains  the  integers  or  some  isomorphic 
structure,  and  using  a  first-order  language,  it  is  not  difficult  to  show  that  the  statement: 

“There  exists  a  finite  computation  of  P  leading  from  (A)J  </(£))  to  ( 1)1} )” 
can  be  Godel-cncoded  into  a  first-order  statement  over  the  integers. 


14.  LIVENESS  PRINCIPLES 


As  a  typical  example  of  a  detailed  proof  of  liveness  properties  we  may  reexamine  the  proof  of 
accessibility  for  the  mutual  exclusion  program  (Example  3).  The  structure  of  such  a  proof  proceeds 
through  a  chain  of  events  characterized  by  state  assertions.  Let  the  eventuality  to  be  proved  be 
p  D  Oip  where  both  p  and  ip  are  state  properties.  We  may  regard  ip  =  p0  as  being  the  last 
assertion  in  the  chain.  Then  we  identify  an  assertion  p\  such  that  by  a  single  application  of  the 
EVNT  principle  we  can  prove 

h  pi  3  O  ip. 

In  the  example  considered  we  have 
V>:  *5 

P\  :  ti  A  m3|4  A  (t  =  2). 


Next,  we  identify  an  assertion  p2  such  that  by  a  single  application  of  the  EVNT  principle  we 
can  prove 


F  P2  3  0(<pi  V  ip). 


In  the  general  step,  we  identify  an  assertion  pi  such  that  by  a  single  application  of  the  EVNT 
principle  we  can  prove 

pi  D  0(\J  pj). 

}<i 


Finally  we  have  to  prove  p  D  ( \f  Pi)  where  p0,  p\,  ...,pT  is  the  chain  of  assertions 

>=° 

constructed.  W'e  may  summarize  this  proof  pattern  by  the  following  proof  principle: 


The  hain  Reasoning  Proof  Principle  CHAIN 

Let  ipotPit  ■  •  • ,  <Pr  be  a  sequence  of  state  properties  satisfy¬ 
ing  the  following  requirements: 

A.  F  P  leads  from  <p»  to  \J ipj  for  *  =  1,  . . .  ,r. 

]<i 

H.  For  every  i  >  0  there  exists  a  k  =  A:,  such  that: 

1-  l\  leads  from  <p,  to  \J  (pj 
i<» 

C.  For  i  >  0  and  k  =  as  above: 

F  ipi  D  0[(  \J  <fij)  V  Knablcd(Pk)] 
i<i 


f  ( V^») 3  ( 

»=o  i=l 


Proof: 

To  justify  this  principle  we  will  prove  by  induction  on  n,  n  =  0,  l,  . . .  ,r,  that 

n  n 

F  (  \/  <Pi)  ^  (V 
*=o  »=i 

For  n  =  0  we  have  F  <po  3  <Pq  from  which  trivially  follows  by  axiom  A9 


F  pa  O  (false  U  p0). 


Note  that  we  interpret  an  empty  disjunction  as  false. 

We  assume  that  the  statement  above  has  been  proved  Tor  certain  n  and  we  attempt  to  prove 
it  for  n  +  1. 


Consider  the  KVNT  rule  with  tp  ~  <pn+i> 
that  P  leads  from  <pn+\  =  <P  to 


n 

ij)  =  (  \J  ipi).  By  premise  A  of  CHAIN  we  obtain 
«=o 


(  V  w)  =  (^n+‘  v  ( V  I^i))  =  (p  v  ^)- 

j<n+ l  j < n 


This  provides  premise  A  of  ICVNT.  Let  k  =  &n(  f.  Then  by  premise  B  of  CHAIN,  Pk  leads 
from  <p„+ 1  =  ip  to  (  \J  pj)  =  ij).  Similarly,  premise  C  of  CHAIN  yields  that 

J<n+I 


I.  F  <p  D  O (iji  V  Pnablcd(Pk )). 


By  the  EVNT  rule  it  follows  that 


2.  I -  ip  D  tp\bp 


or 


3.  I-  <pn+ 1  3  ^„+iU  (V*x). 

»=o 

By  the  induction  hypothesis  and  the  Ull  rule  this  yields 

n 

4.  H  <Pn+\  3  p„  +  lU((  \J  ^,)U^o)- 

t'=l 

Again  by  the  induction  hypothesis  using  part  of  A9,  w 2  3  we  can  obtain 

n  n 

5-  I -  [\J  <Pi)  o  pn+lU((  \/ y?,-)Up0)- 

1=0  1=1 

Combining  this  with  4  above  yields 

n+1  n 

6.  MV'P*)  D  V>n+iU((  V 

»=0  i=  1 

By  T38,  pU(<7llr)  3  (pVq)Ur,  we  can  reduce  the  nesting  depth  of  the  U  operator  to  get: 

rt+l  r»+l 

7-  I-  (  \/  <Pi)  3  ((  \/  ^i)U^o) 

«=0  1=1 


as  needed. 

Taking  n  =  r  concludes  the  proof  of  the  principle,  j 

In  presenting  a  proof  according  to  the  chain-reasoning  principle  it  is  usually  suflicient  to 
identify  <f>o ,  v?i,  •  •  ■  >  <Pr  and  for  each  i  to  point  out  the  “helpful”  process  1\  =  I’k,-  It  can  be  left 
to  the  reader  to  verify  that  premises  A  to  C  arc  satisfied  for  each  i  —  1,2,  . . .  ,r. 

We  prefer  to  present  such  proofs  in  the  form  of  a  diagram.  Consider  a  diagram  consisting 
of  nodes  that  correspond  to  the  assertions  <po,  tp\,  . . . ,  ipr.  I’or  each  transition  affected  by  some 
process  l*j,  that  leads  from  a  state  a  satisfying  fx  to  a  state  .s'  satisfying  ipt,  (.  <  i,  we  draw  an 
edge  from  the  node  <pt-  to  the  node  and  label  it  by  f’j,  the  name  of  the  responsible  process. 
All  edges  corresponding  to  the  helpful  process  /’*  =  I\t  are  drawn  as  double  arrows.  We  do  not 
explicitly  draw  edges  corresponding  to  transitions  from  back  to  itself.  However  it  is  assumed 
that  such  edges  may  exist  for  all  but  the  helpful  process  for  <px. 

As  an  example  wo  present  a  diagram  form  of  the  proof  of  accessibility  for  the  Mutual  Exclusion 
program.  It  is  given  in  Eig.  1.  In  constructing  such  a  proof  we  may  freely  use  any  invariants 
previously  derived. 


In  this  program,  and  typically  in  all  non-terminating  programs  that  have  no  semaphore  in¬ 
structions,  we  do  not  have  to  check  premise  C  of'  the  CHAIN  or  ICVNT  rule.  This  is  because  in 
non-terminating  programs  without  semaphores  every  process  is  continuously  enabled  and  therefore 
condition  C  is  automatically  satisfied. 

In  contrast  let  us  consider  the  proof  of  accessibility  for  example  2  -  a  program  with  semaphores. 
Here  we  want  to  prove  (q  d  Ofj.  The  main  diagram  here  is  very  simple: 


It  denotes  a  single  application  of  the  IiVNT  rule  with  <p  :  at l q  and  ip  :  atf |  with  l\  =  I\ 
being  the  helpful  process. 

However,  in  order  to  justify  premise  C,  which  is  not  trivial  in  this  case,  we  have  to  prove 
I"  4)  ^  0(/|  V  y  >  0). 

For  this  we  have  to  consider  /Vs  position.  If  /  2  is  at  m0  or  m2  then  7/  =  1  by  the  invariant 
proved  above.  The  only  other  case  is  when  /  2  is  at-  mi  where  by  a  single  application  of  the  1CVNT 
rule  it  will  eventually  move  to  rn^  producing  a  positive  value  of  y.  This  may  be  represented  by  a 
secondary  diagram: 

-  I> 2  - - - 

4, mi  |====r->j  l0,y  >  0 

The  diagram  representation  of  a  proof  according  to  the  CHAIN  principle  is  very  simi1:..  to 
the  proof  lattices  introduced  in  [Ob]  as  a  concise  presentation  of  a  proof  of  a  liveness  property. 
A  superficial  difference  is  that  they  choose  to  represent  as  edges  the  consequences  of  the  I0VNT 
rule,  while  in  our  representation  edges  stand  for  the  premises  of  the  ICVNT  rule  which  are  also  the 
premises  to  the  CHAIN  rule.  To  illustrate  this  difference,  consider  the  following  trivial  program: 


^0  ••  y  ■=  y 

fi  : 


to 0  :  go  to  rng 


The  liveness  property  to  be  proved  is  (q  3  O  Li-  Below  are  diagram  representations  of  the 
CHAIN  principle  and  a  proof  lattice  according  to  [Ob]. 


CO 


CHAIN  Diagram 


Proof  Lattice 


As  we  see,  the  CHAIN  diagram  contains  a  self-edge,  labelled  by  /’ 2  (this  time  drawn  explicitly) 
and  a  helpful  edge  labelled  by  The  process  l\  is  guaranfe-'d  to  get  us  to  (\ .  As  a  eonscmiencc 


of  this,  by  the  EVNT  rule,  £y  O  O/V  This  conclusion  is  represented  in  the  proof  lattice  by  a 
single  edge  from  to  Thus,  the  different  choices  of  representation  lead  to  the  following  minor 
syntactical  differences  between  CHAIN  diagrams  and  proof  lattices: 

(a)  Proof  lattices  are  acyclic,  whereas  CHAIN  diagrams  are  oidy  weakly  acyclic,  i.c.,  may 

contain  self-loops. 

(b)  In  CHAIN  diagrams,  edges  arc  lab*  ed  by  the  processes  responsible  for  the  transition. 

Special  identification  is  provided  lo.  edges  traversed  by  the  helpful  process.  In  proof 
lattices,  we  no  longer  care  about  the  identities  of  the  processes  since  progress  along  the 
lattice  has  already  been  established. 

However  these  differences  are  minor  and  a  simple  procedure  for  translation  between  CHAIN 
diagrams  and  proof  lattices  exists.  The  important  part  in  both  is  the  identification  of  the  in¬ 
termediate  assertions  that  are  represented  as  nodes.  In  constructing  a  proof,  this  is  usually  the 
creative  and  most  demanding  process.  Both  graph  presentations  provide  a  natural  and  intuitive 
representation  of  these  assertions  and  the  precedence  relations  between  them. 

The  chain-reasoning  principle  assumed  a  finite  number  of  links  in  the  chain.  It  is  quite  ade¬ 
quate  for  finite-state  programs,  i.e.,  programs  whose  variables  range  over  finite  domains.  However, 
once  we  consider  programs  over  the  integers  it  is  no  longer  sufficient  Lo  consider  only  finitely  many 
assertions.  In  fact,  sets  of  assertions  of  quite  high  cardinality  are  needed.  The  obvious  gener¬ 
alization  of  a  finite  set  of  assertions  {<£>t  |  i  =  0,  ...,?•}  is  to  consider  a  single  assertion  £>(a), 
parametrized  by  a  parameter  a  taken  from  a  well-founded  ordered  set  (A,  -<).  Obviously,  the  most 
important  property  of  our  chain  of  assertion  is  that  program  transitions  eventually  lead  from  <pi 
to  <pj  with  j  <  i.  This  property  can  also  be  stated  for  an  arbitrary  well-founded  ordering.  Thus 
a  natural  generalization  of  the  chain  reasoning  rule  is  the  following: 


The  Well  Founded  Liveness  Principle  —  WELL 

Let  (A,  -<)  bo  a  well-founded  set.  Let  <£>(«)  =  tp(or,x\  W;y)  be  a  parametrized 
state  formula. 

Let  h  :  A  — ►  [l  .  .  fc]  be  a  helpfulness  function  identifying  for  each  a  €  A  the 
helpful  process  l\(a)  f°r  states  in  <p(a). 

A.  h  P  leads  from  <p(a)  to  ip  V  (f3fi  <  a  .  ip{ft)') 

H.  I-  l’h(a)  leads  from  <p(a)  to  ip  v  (3/?  ■<  a  . 

C.  h  <p(a)  D  Of tp  V  ( ip  <  «  .  ip({)))  V  ICnablcd(I\ (aj)] 

h  (da  .  ¥3(w))  ^  (3a  .  <p(a))Uip 


du 


15.  EXAMPLE  4:  BINOMIAL  COEFFICIENT 


As  an  example  for  the  application  of  the  WICLL  principle,  we  consider  the  following  program 
that  computes  the  binomial  coefficient  (£)  for  inputs  0  <  k  <  n. 


(l/i.  2/2, 2/3, 2/4)  :=  (n,0, 1,  l) 


t7  :  2/1  —  (n  —  fc)  then  go  to  l\ 

e&  :  rcquest(y4) 

4  =  <1  :=  2/3  -2/1 
U  ■  2/3  :=  1 1 
£3  :  release(yi) 
f-2  :  2/i  :=  2/i  ”  1 
^8  :  go  to  t7 
ti  :  halt 

-  I\  ~ 


m3  :  */  2/2  —  k  then  go  to  m.[ 
m2  :  y2  :=  2/2  +  l 
mg  :  loop  until  r/ 1  +  y2  <  n 
ms  :  request[y4) 
m7  :  t2  :=  7/3 /t/2 

:  2/3  :=  <2 

7715  :  rt/cn.se^) 

7713  :  go  to  m3 
m  1  :  halt 

~  Pi  - 


The  labelling  scheme  of  the  program  has  been  constructed  in  a  way  that  simplifies  the  expres¬ 
sion  of  the  assertion  <p{oi). 

The  computation  oT  this  program  is  based  on  the  formula: 
n  ■  (n  —  1)  •  •  •  (n  —  k  +  l) 

W  =  I  -2  -  k  ' 

'Phc  values  of  y\,  i.e.,  71,  n  —  I ,  .  . . ,  n  —  k  +  I ,  are  used  to  compute  the  numerator  in  I\ ,  and  the 
values  of  y2,  i.e.,  1,2,  . . . ,  k,  are  used  to  compute  the  denominator.  The  process  I\  multiplies 
ri  •  (n  —  1)  •  •  •  (n  —  k  +  1)  into  7/3  while  /  2  divides  y3  by  l  •  2  •  •  •  k. 

The  instruction 

7719  '•  loop  until  y\  +7/2  <  ti 

guarantees  even  divisibility  of  y3  by  y2.  It  synchronizes  /  2’s  operation  with  that  of  l\  to  ensure 
that  1)3  is  divided  by  i  only  after  (n  —  i  +  I)  has  already  been  multiplied  into  it.  We  rely  here  on 
the  mathematical  theorem  that  the  product  of  i  consecutive  integers  n  •  (n  -  1)  •  ■  •  (n  -  t  +  l)  is 
always  divisible  by  1!  (the  quotient  actually  being  the  integer  ("))• 

The  critical  sections  (. 5  5  and  7715.  7  are  mutually  protected  by  the  semaphore  variable  y\. 
This  protection  ensures  that  7/3  is  not  updated  by  between,  say,  the  computation  of  7/3  -y\  and 
the  assignment  of  this  value  to  7/3 .  Without  this  protection,  the  updated  value  might,  have  been 
overwritten  by 


Wc  start  by  establishing  some  invariant  properties  of  this  program. 


h  :  F  (ate. 3. .5  +  atma.,1  +  y.\  —  1)  A  (y4  >  0). 

This  is  the  usual  semaphore  invariant.  It  c.an  be  proven  by  observing  that  initially  this  sum 
equals  1,  and  then  by  considering  all  possible  transitions.  For  example,  the  — *  t*,  transition 
changes  ate 3. .5  from  0  (false)  to  1  (true),  and  also  decrements  y\  by  I,  leaving  however  the  sum 
constant.  From  /[  we  can  deduce  mutual  exclusion  of  the  critical  sections,  i.c., 

F  (~^3.,s)  V  (~TO5  .7 ). 

As  a  consequence  of  this  we  can  establish: 

h  :  F  (^4  3  1 1  =  2/a  -  2/i )  A  (m6  3  h  =  #3/2/2)- 

'Phis  holds  due  to  the  impossibility  of  interference  by  l\  while  f\  is  at  t\. 

I3  :  h  (n  -  k  +  att-i.. a)  <  Vi  <  n. 

This  invariance  states  that  y\  always  lies  between  n  —  k  and  n.  When  P\  is  at  f2..G>  2/1  >  n  —  k, 
whereas  P\  is  at  other  locations,  y  1  >  n  —  k.  To  verify  I3  we  need  only  consider  the  transitions: 

•  e?  -  >  f.G  which  maintains  n  -  k  <  yx  <  n,  assuming  it  was  previously  known  that 

n  -  k  <y  1  <  n. 

•  fa  e«  which  results  in  n  —  k  <  y\  -  1  <  n  from  n  —  k  <  yi  <  n. 


1 4  :  F  0  <  y%  <  (k  -  atm-i). 


This  invariance  bounds  the  range  of  j/2 •  We  need  consider  the  transitions  m3  — ►  m2  and 
m2  -•>  which  can  be  shown  to  maintain  /*. 

h-  F  atm7.. 8  3  (?/i+2/2)<n. 

Here  we  should  consider  two  transitions: 

•  rn <j  m8  which  is  possible  oidy  if  currently  y  1  +  t/2  <  n. 

•  Aj  ►  fs  is  the  only  transition  modifying  y\.  However  since  it  decrements  y \  it 

certainly  preserves  y  1  +  1/2  <  n. 

Lot  us  define  the  following  virtual  variables: 


*7  ate. 2,3  then  y{  —  l  e/se  j/| 
i/  ofmB.,5  then  y 2  —  I  e/se  y% 


These  variables  are  roughly  equal  to  1/1  and  2/2  respectively  and  differ  from  them  by  1  in  certain 
ranges. 


h  ■  I-  y3  =  ln*(n-  1)  •  •  •  (yf  +  1)]/[1  -2  •  -  •  2/2  )• 

To  verify  this  invariant  we  have  to  check  the  transitions  £4  — *  £3,  m6  — * ►  rn5.  Making  use  of 
I2t  they  can  be  shown  to  maintain  F$. 

h  :  I-  [atly  D  yi  =  (n  —  fc)]  A  [afmi  D  (y2  —  k)\. 

Using  Is,  h  and  the  definition  of  y*,y|  wc  obtain  partial  correctness  of  this  program,  namely 

b  [atl\  A  atnii)  D  [y3  =  (£)]. 


To  prove  termination  we  will  use  the  WELL  rule  in  order  to  establish  b  0(a/^i  A  atm\).  As 
the  well-founded  domain  we  Lake 


(A,  -<)  =  (N  x  N  X  N,  -<Ux). 

That  is,  the  set  of  triplets  of  non  negative  integers  ordered  by  lexicographic  ordering.  This  ordering 
defines  (mi,mj,rri3)  -<  (ni,na,n3)  iff  for  the  lowest  i,  i  =  1,2,3  such  that  m,  ^  nt,  mt  <  nt. 

For  our  goal  assertion  we  take  ij)  :  atE{  A  a/mj.  The  parameterized  assertion  is  given  by: 

<p(a-,ii,mJ;yuy2)  :  {yi  +  k-y2,  j,  0  =  a. 

The  helpfulness  function  is  given  by: 

h(a)  =  h(r,j,i)  =  (if  i  =  I  then  2  else  1). 

Thus  as  long  as  the  first  process  P\  has  not  terminated  we  rely  on  I\  to  be  the  helpful  process. 
Once  it  has  terminated,  we  take  P2  to  be  the  helpful  process. 

We  have  to  show  that  all  the  three  premises  of  the  WICLL  rule  are  satisfied. 

Consider  first  premise  A.  We  have  to  show  that  every  transition  of  /*  leads  to  <p(ft)  with  /?  <  a 
if  \l>  is  not  already  satisfied.  By  simple  inspection  of  all  the  possible  transitions  wc  find  that  they  all 
lead  from  ( li,mj )  to  (f-i',m}>)  such  that  either  i'  <  i  or  j'  <  j  except  for  the  following  transitions: 

•  l2  Is-  But  this  transition  decrements  y\  producing  astiict  decrease  in  y  1  +k  —  y2 

which  is  the  first  component  in  a. 

•  m<2  —  *  mg.  In  a  similar  way  this  transition  increments  y2,  leading  to  a  decrease  in 

l/i  +  k  -  y2. 

•  mg  — >  my.  This  transition  leaves  a  at  the  same  value. 

Consider  now  premise  B.  As  we  have  shown  above,  all  transitions  provide  a  strict  decrease  in 
a.  The  only  exception  is  m<j  ->  mg.  However  this  is  a  /^-transition  which  is  considered  helpful 
only  when  l\  is  at  .  By  / 7,  at  this  point  y  1  =  (n  —  k)  so  that  in  view  of  L\,  y  1  +  y2  <  k  and 
hence  the  only  transition  possible  from  m9  is  mg  — »  m#. 
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To  show  premise  C  we  have  to  prove  that  l\  is  always  eventually  enabled.  Consider  first  the 
case  that  h  =  1.  The  only  location  in  which  it  is  not  immediately  enabled  is  when  P\  is  at  /g 
while  I’ 2  is  at  ms. .7  (in  view  of  /|).  However  by  simple  chain  reasoning  it  is  obvious  that  in  such 
a  case,  P2  will  certainly  reach  m^  in  which  2/4  becomes  positive  and  l\  enabled. 

The  case  h  =  2  is  even  simpler  because  it  is  only  considered  when  l\  is  at  ty.  Consequently, 
even  when  !\ >  is  at  mg,  which  may  potentially  raise  some  problems,  we  have  in  view  of  l\  and  utt.\ 
that  1/4  >  0  and  l\  is  enabled. 

Thus  we  conclude  that  ip  :  at(.\/\a.tm\  must  eventually  be  realized  and  therefore  the  program 
must  terminate. 


16.  PRECEDENCE  PROPERTIES 


The  next  class  of  properties  wc  will  consider  and  provide  proof  principles  for  is  that  of  prece¬ 
dence  properties.  These  are  properties,  usually  needing  the  U  operator  for  their  expression,  which 
ensure  that  some  event  precedes  another  event,  or  that  a  certain  event  will  not  happen  until  an¬ 
other  event  happens  lirst.  In  view  of  the  fact  that  the  basic  FAlIt  and  ISVNT  rules  did  actually 
provide  a  conclusion  containing  the  U  operator,  they  may  be  naturally  utilized  to  form  precedence 
proof  principles  which  arc  generalizations  of  the  corresponding  livencss  principles. 

In  the  following  we  will  often  consider  nested  until  expressions  in  which  the  nesting  always 
occurs  in  the  second  argument.  We  therefore  adopt  the  convention  of  representing  the  nested 
formula: 


<Pn  U  (<pn  1  U  (  . . .  (<Pt  U  y3o)...)) 
by: 

IPn  It  Vt.  1  U  .  .  •  <Pl  U  <p0. 


The  semantic  meaning  of  this  formula  is  that,  starting  from  the  present  there  is  going  to  be 
a  period  in  which  <pn  continuously  holds,  followed  by  another  period  in  which  <pn  \  continuously 
holds,  . .  . ,  followed  by  a  period  in  which  <p\  continuously  holds,  until  finally  <p 0  occurs.  Any  of 
these  periods  may  be  empty,  but  the  occurrence  of  ipa  is  guaranteed. 

Let  us  consider  first  the  proper  generalization  of  the  CHAIN  rule  in  which  we  assume  a  Jinite 
chain  of  assertions  ipr,  tpr  . . <p\  leading  to  the  goal  ip  =  <po. 

Let  0  <  p\  <  p2  <  ...  <  pa  =  r  be  a  partition  of  the  index  range  into  a  contiguous 
segments.  Then  we  may  formulate  the  following  chain  principle  for  precedence  properties: 
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The  Chain  Rule  for  Precedence  Properties  —  I’-CIIAIN 


Let  ipo,  ipi,  . . . ,  tpr  be  a  sequence  of  state  assertions,  and 
0  =  Po  <  Pi  <  P2  <  •  •  •  <  p„  =  r  a  partition  of 
(1  .  .  r]. 

A.  I -  P  leads  from  px  to  [\J p})  for  i  =  1,  . . .  ,r. 


B.  For  every  i  >  0  there  exists  a  k  =  such  that: 


I-  Pic  leads  from  <px  to  ( <pj) 


C.  For  i  >  0  and  k  =  k±  as  above: 

H  <p  D  0[(V Pj)  V  Enabled(Pk)] 
i<* 


y-  (  V  ^*)  D  (V’a  U  V>5  1  •  •  •  u  Po) 


where 


i>t  is  \J  <Pj  for  l  =  1,  .  ..,s. 


pi  i<i<pi 

The  conclusion  states  that  starting  at  a  state  that  satisfies  one  of  the  ipi,  i  =  0,  . . .  ,r,  we 

p. 

are  guaranteed  to  have  a  period  in  which  (  \J  pj)  continuously  holds,  followed  by  a  period  in 

i—p.  -  i  +  l 

p.-i 

which  (  \J  ipj)  continuously  holds,  etc.,  until  p^  is  finally  realized.  Any  of  these  periods  may 
i=p.  *  +  i 
be  empty. 

Proof: 

To  justify  the  soundness  of  this  conclusion  we  will  first  prove  it  for  the  most  refined  partition 
possible,  namely: 


(\J  <Pi)  3  (PrliPr-l  Upr  2  U  ...pi  llpo)’ 


This  is  proved  in  a  way  similar  to  the  justification  of  the  corresponding  livcncss  principle.  We 
show,  by  induction  on  n,  n  =  0,  1,  . . .  ,r,  that 


l-  {\J  Pi)  3  {<pn  U  <pn  i  U  . . .  r\  U  vo). 


For  n  =  0  we  have  I-  po  D  po  which  is  the  induction  statement  for  n  =  0. 


[»!•] 


Assume  that  the  statement,  above  has  been  proved  for  a  certain  n  and  consider  its  proof  for 
n  +  t. 

n 

Consider  the  I3VNT  rule  with  <p  =  <Pn+i>  ^  =  (  \f  ‘Pi)-  As  shown  in  the  proof  of  the  liveness 

«=° 

case,  all  the  premises  of  the  ISVNT  rule  are  satisfied.  Consequently  we  may  conclude: 

n 

y- <pn+\  3  <pn+\  u  (\/ 

*=0 

By  the  induction  hypothesis  and  the  UU  rule  this  yields 
H  V^n+i  ^  ^n+iU(pnU  ...piUpu). 

Due  to  h  v  O  (uUt>)  which  is  a  consequence  of  axiom  A9,  the  induction  hypothesis  can  also  be 
written  as 

n 

•-  (V  <Pi)  3  <Pn  +  l  U  (ipn  U  .  .  .  <Pl  U  <p0). 

»=0 

Taking  the  disjunction  of  the  last  two  gives 

n  +  t 

MV  <Pi )  <Pn+l  U  (<pn  U  .  .  .  <PlU<p0), 

i—0 

which  is  the  required  statement  for  n  +  1. 

Consider  now  a  coarser  partition: 

0  =  7'o  <  Pi  <  P2  <  •  •  •  <  Pa  =  r. 

By  consecutively  merging  any  two  contiguous  assertions  that  fall  into  the  same  partition  cell,  using 
theorem  T38: 

h  U  [Px  U  <pj)  D  ((<Pi+i  V  <pi)  U  <p), 

we  obtain  the  coarser  conclusion: 

^  ( V  Vi)  3  ((  V  Vj)  U  (  V  Vj)  U  ...(  Vi)  U  <Po))-  j 

p t  i  <i‘ p.  p.  i  o<y<p. 


Examples: 

As  our  first  example,  let  us  consider  the  Mutual  Exclusion  program  analyzed  above.  We  have 
already  proven  that  mutual  exclusion  is  maintained  by  this  program.  We  have  also  proven  the 
liveness  property  that  if  l\  wishes  lo  enter  its  critical  section  it  will  eventually  gain  access  to  it. 
A  more  discriminating  question  is  that  of  how  fair  is  our  algorithm.  That  is,  if  l\  wishes  to  enter 


its  critical  section,  how  many  times  will  /  2  be  able  to  enter  its  own  critical  section  before  P\ ?  Is 
that  number  bounded?  We  refer  to  this  question  as  the  problem  of  bounded  overtaking.  Namely, 
how  many  times  can  P3  overtake  l\  before  I\  enters  his  critical  section. 

Our  first  analysis  makes  use  of  Fig.  I  without  any  modifications.  We  only  read  from  it  the 
stronger  conclusion  according  to  the  stronger  P-CIIAIN  rule.  As  a  partition  we  choose  pi  =  7, 
P2  =  9,  7>;j  =  r  —  11.  Consequently,  from  the  diagram  of  I'ig.  1  we  conclude  by  the  P-CIIAIN 
rule: 

11  11  9  7 

p  (V^*)  3  ((V  11  (V^*)  ^  ( V Vi)  ^  ^n)- 

1  =  1  1  =  10  *=8  i=l 

Replacing  each  of  the  right  hand  side  disjunctions  by  a  weaker  property  and  the  left  hand  side 
disjunction  by  a  stronger  statement  we  obtain: 

P  ^3,4  3  ((~m5i6)  U  m5>6  U  (~m5>6)  U  f5)- 

This  implies  that  if  l\  is  at  the  waiting  loop  in  there  will  he  a  period  in  which  l\  is 
not  in  the  critical  section  m5i6,  followed  by  a  period  in  which  [\  is  inside  the  critical  section  m5|fi 
followed  by  a  period  in  which  P2  is  outside  the  critical  section  which  terminates  by  l\  entering 
his  critical  section.  Since  any  of  these  periods  may  be  empty  this  is  a  worst-case  analysis.  But  it 
certainly  assures  1-bounded  overtaking,  i.e.,  once  l\  is  in  P2  may  overtake  it  at  most  once. 

Having  successfully  analyzed  the  situation  from  on  we  may  attempt  to  obtain  a  similar 
analysis  from  the  moment  that  Py  enters  t2. 

This  analysis  calls  for  a  refinement  of  the  diagram  of  Fig.  1.  The  following  is  a.  subdiagram 
that  should  replace  the  node  corresponding  to  £>12  in  Fig.  1.  It  consists  of  three  nodes  labelled 
respectively  P7.5,  Po.r>  «>nd  v3 1 1 .5 •  The  fractional  indexing  indicates  that  ^7.5  should  be  inserted 
between  <^7  and  p3  in  I'ig-  I-  The  edges  out  of  should  enter  one  of  these  three  nodes.  Kdges 
out  of  £>7.5  lead  to  some  of  ip\,  . . . ,  <p7. 


Similarly  for  edges  out  of  ^>9,5  and  <p u.,r>.  Considering  the  updated  diagram  composed  of  Fig. 
1  and  the  above  subdiagram  we  obtain  the  following  conclusion: 

11.5  9.5  7.5 

P  h.A  "=>  ((  \/  Pi)  U  {\J  Pi)  U  {\J  Pi)  U  £>())• 


This  again  loads  to 


H  l -2.A  3  ((~W5,B)  U  TO5i6  U  (~TO5t6)  U  4), 

which  ensures  1 -bounded  overtaking  even  from  1 2.  Encouraged  by  this,  we  may  next  ask  whether 
a  similar  result  can  be  obtained  from  l\.  Unfortunately  this  is  not  the  case.  P2  may  enter  its 
critical  section  an  arbitrary  number  of  times  while  I\  is  at  t\.  This  is  obvious  since  while  being 
at  f.  1,  l\  has  not  yet  modified  any  variable  in  a  way  that  will  show  that  it  is  not  still  in  t o-  And 
naturally  while  l\  is  at  f.Q,  I *2  may  enter  the  critical  section  any  number  of  times  if  the  algorithm 
is  correct. 


THE  WELL-FOUNDED  PRINCIPLE  FOR  PRECEDENCE  PROPERTIES 

A  natural  extension  of  the  P-CIIAIN  rule  to  programs  that  require  infinite  chains  of  assertions 
again  uses  well  founded  ordered  sets. 

Let  (A,  <)  be  a  well  founded  ordered  set.  We  require  however  that  the  ordering  is  total  (or 
linear).  That  is,  for  every  two  distinct  elements  t*  [ ,  a2  €  A  either  <  «2  or  a2  -<  aj. 


Note  that  while  the  range  of  the  parameter  in  the  assertions  is  infinite,  the  partition  is  still 
finite. 
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